Docstoc

final

Document Sample
final Powered By Docstoc
					        THE DRUG ENFORCEMENT ADMINISTRATION’S
      MANAGEMENT OF ENTERPRISE ARCHITECTURE AND
         INFORMATION TECHNOLOGY INVESTMENTS


                       EXECUTIVE SUMMARY


       To properly manage its IT investments, the DEA is in the process
of developing an Enterprise Architecture (EA) and an Information
Technology Investment Management (ITIM) process. An EA
establishes an agencywide roadmap to achieve an agency’s mission
through optimal performance of its core business processes within an
efficient IT environment. ITIM involves implementing processes such
as: identifying existing IT systems and projects, identifying the
business needs for the projects, tracking and overseeing projects’
costs and schedules, and selecting new projects rationally.
Governmentwide reviews by the Government Accountability Office
(GAO) and audits by the Office of the Inspector General (OIG)
covering IT management in the DEA found weaknesses in aspects of
EA, ITIM, and information security. Because of the importance of the
DEA’s management of its 38 IT systems, as listed in its current EA, we
performed this audit to determine if the DEA is effectively managing its
EA and its IT investments.

      To perform the audit, we interviewed officials from the DEA, the
DOJ, the GAO, and Bearing Point – the DEA contractor developing the
EA. Additionally, we reviewed documents related to EA and IT
management policies and procedures, project management guidance,
strategic plans, IT project proposals, budgets, and organizational
structures. To determine whether the DEA is effectively managing its
EA, we requested that the DEA complete a survey originally developed
by the GAO, to identify which core elements in the EA Management
Framework have been implemented. We also used the GAO’s ITIM
Framework (Framework) and the associated assessment method to
evaluate the management of the DEA’s investments. As part of the
Framework’s assessment method, the DEA completed a
self-assessment of its IT investment management activities.

     The Information Technology Management Reform Act of 1996
(known as the Clinger-Cohen Act) requires the head of each federal
agency to implement a process for maximizing the value of the
agency’s IT investments and for assessing and managing the risks of

                                  -i-
its acquisitions. A key goal of the Clinger-Cohen Act is for agencies to
have processes in place to ensure that IT projects are being
implemented at acceptable costs and within reasonable timeframes,
and that the projects are contributing to tangible, observable
improvements in mission performance. In addition, the
Clinger-Cohen Act requires the head of each agency to develop,
maintain, and facilitate the implementation of architectures as a
means of integrating business processes and agency goals with IT.
The Office of Management and Budget (OMB) Circular A-130 requires
each federal agency to establish and maintain a capital planning and
investment control process for IT.

       The DEA is effectively pursuing completion of both its EA and
ITIM. Although the EA is still being developed and the DEA has not
established a target date for completing its ITIM processes, the DEA is
using many sound practices from both. The DEA will be more fully
effective in managing its EA and IT investments once its EA and ITIM
processes are completed and mature.

Enterprise Architecture (EA)

      If completed in September 2004 as scheduled, the DEA EA
should provide a blueprint that will enable the DEA to more effectively
and efficiently manage its current and future IT infrastructure and
applications. The DEA has completed much of its EA, with the
exception of developing a target architecture and a transition plan to
accomplish the target architecture. To date, the DEA has established a
foundation consistent with the EA Management Framework to build its
EA program. The DEA has assigned roles and responsibilities for
developing the EA, committed resources, and established plans for
completing the remaining stages. In addition, the DEA has developed
a general, high-level description of its existing, or “as is,” architecture.
However, without a completed EA, any organization assumes some
degree of risk that it might invest in IT that is duplicative, not well-
integrated, costly, or not supportive of the agency’s mission. In
continuing to develop its EA, the DEA is taking steps to mitigate such
risks. By completing its EA, the DEA will minimize the risks even
further and provide a realistic vision of its future IT requirements.

      As of April 2004, the DEA had completed nearly 90 percent of
the EA Management Framework criteria for meeting the second of five
levels of maturity. The DEA estimates that it will cost approximately
$2.7 million to complete the EA. In FY 2002, the DEA spent $667,000
from its base appropriations for EA development. In FY 2003 the DEA

                                   - ii -
requested an additional $400,000 to continue development, but the
funding was not approved. According to the DEA’s EA Chief Architect,
approval of the requested amount would have allowed the DEA to
complete a detailed description of the existing architecture more
quickly.

      The DEA has allocated 4.25 full time equivalent staff —
but assigned 3.25 full time equivalent staff (.5 managers, .5 staff
members, and 2.25 contractors) — in support of EA efforts and
completion of the current EA. The Deputy Assistant Administrator of
the DEA’s Office of Information Systems, which is the office tasked
with developing the DEA’s EA, is currently serving as the Chairman of
the Department’s EA Committee. The Chief Architect, who established
the foundation for the DEA’s EA, had transferred to the DEA from the
Department’s Justice Management Division where she had dealt with
technology issues. The DEA’s Program Office has two senior analysts
and one junior analyst assigned to work on completing the EA.
Additionally, the DEA hired a contractor in October 2003 to aid in the
completion of the EA.

      In addition to funding and human resources, the DEA has
acquired tools and technology to support its EA activities. The DEA
uses the Popkin System Architect (Popkin) as its automated EA tool.
According to the Chief Architect, one reason the DEA chose Popkin is
that the Department is also using Popkin, and the future integration of
the DEA’s EA with the Department’s EA may be more easily achieved.
Because the DEA has just recently begun using the Popkin tool, we did
not assess its effectiveness in clearly and completely documenting the
DEA’s EA, but we agree that using the same tool as the Department
should aid in the future integration of the agency’s EA with the
Department’s EA.

      The DEA has established three governing committees, or
investment boards: 1) the Executive Review Board, 2) the Business
Council, and 3) the Compliance Council. Together, the three
governing committees are responsible for ensuring that the DEA’s EA
meets all federal and Departmental requirements.

      The Executive Review Board is responsible for providing
leadership to implement a managed IT capital planning and investment
control process. The IT capital planning and investment control
process includes the development and maintenance of an agencywide
EA.


                                 - iii -
      The Business Council’s primary responsibility is to ensure that
projects and investments recommended by program managers are
consistent with the DEA’s mission, strategic plan, capital planning
goals, EA, and security policy. Business Council members function as
the working level experts for the ITIM process by providing business
expertise specific to their respective business unit.

      The Compliance Council is responsible for evaluating IT
investments and the DEA’s EA to ensure compliance with legislative
regulations and DEA policy. The Compliance Council consists of
members whose day-to-day responsibilities involve a compliance area.
The members work to ensure compliance with such areas as the
Federal Enterprise Architecture, the Government Performance and
Results Act, and the Government Information Security Reform Act.
The Chief of the Strategic Business Management Section, Office of
Information Systems, chairs this committee.

      The EA Management Framework states that EA development and
maintenance should be managed as a formal program. Accordingly,
the DEA reorganized its Office of Information Systems to include a
Strategic Business Analysis Section as the EA Program Office
(Program Office). The Program Office is responsible for the
development and maintenance of the DEA EA. To accomplish its
responsibility, the Program Office coordinates with offices throughout
the DEA as well as external IT organizations. The Program Office
assists DEA customers in developing their concepts and plans for the
application of IT to their business processes, and also assists
customers with the ITIM process.

     The DEA’s methodology to develop its EA is a three-phase
approach.

Phase 1. Includes documenting, at a high-level, what currently exists
within the DEA in terms of business areas, applications, data, and
technology.

Phase 2. Includes 1) providing more detail to the current
architecture, 2) goals and objectives stated in the Department and the
DEA strategic plans, 3) performance measures, 4) aligning the DEA’s
architecture with the Federal Enterprise Architecture reference models,
and 5) aligning the architecture with the DEA’s capital planning
process.



                                 - iv -
Phase 3. Includes the establishment of the target architecture,
including security compliance and the development of a transition
plan.


       The DEA completed Phase 1 of the EA development in
September 2002. In February 2003, the DEA’s CIO submitted the
high-level description of the DEA’s current EA to the three DEA IT
governing boards for inclusion in the budget process. The DEA stated
that its contractors completed Phase 2, and as of February 2004 the
DEA was in the process of reviewing the contractor’s work for
compliance with the Federal Enterprise Architecture Framework
requirements. The DEA has not yet begun Phase 3 of the EA project.

      The DEA has not yet established measures of EA progress,
quality, compliance, and return on investment, which are necessary to
ensure that the EA meets the targeted milestones and complies with
the necessary regulatory requirements. Measuring return on
investment would tell the DEA what benefits are realized by the
development of the EA in relation to the cost of the EA development.

      The DEA did not establish a formal written and approved policy
for developing the EA. However, the DEA did establish the required
elements of the EA development policy in different ways:

     •   established the IT governing boards with representation from
         all DEA business areas to ensure agencywide commitment to
         EA development;

     •   established the EA Program Office with responsibility for
         developing the EA;

     •   created the EA Program Management Plan, which outlines the
         scope of the architecture including a description of the
         current and target architecture, as well as the transition plan,
         and addresses EA oversight, control, review, and validation
         responsibilities; and

     •   outlined the value of the EA, its relationship to the
         organization’s strategic vision and plans, and the capital
         planning process in the DEA’s IT Strategic Plan.

Yet, consolidating the EA development information in the form of an
organization policy allows any DEA staff member to consult one

                                 -v-
document for information concerning the development and
implementation of the DEA EA.

        The DEA has developed one EA product, the high-level current
architecture. In September 2002, the DEA documented its high-level
current EA using DEA personnel assisted by a contractor. The
high-level current EA provided the DEA with descriptions of its
business processes, applications used to carry out the business
processes, data used in accomplishing the business processes,
technology used in implementing the business processes, and
stakeholders affected by the business processes. The 2002 high-level
current EA lacked the detail necessary to progress to the target
architecture, but in April 2004 the contractor added the necessary
detail, and the DEA accepted the product.

      To complete its EA, the DEA must finish two additional products:
1) the target architecture, and 2) a transition plan from the current to
the target architecture.

      The DEA’s target architecture will define the vision of the DEA’s
future business operations and supporting technology and will also
describe the desired capability and structure of the business
processes, information needs, and IT infrastructure at some point in
the future. Just as the current architecture captured the existing
business practices, functionality, and information flows, the target
architecture will reflect what the DEA needs to evolve its information
resources.

      The DEA’s transition plan will provide a step-by-step process for
moving from a current architecture to a target architecture. Such a
plan is the primary tool used for program management and investment
decisions because the plan represents the current environment as well
as any development programs that are planned or underway. To
remain current and to support continued coordinated improvements
across the DEA, the transition plan should be maintained and updated
as time and circumstances dictate. In addition, the DEA must ensure
that all EA products when completed undergo configuration
management – a process of managing changes to IT systems or
hardware – and that the target architecture addresses security as
outlined in the EA program plan.




                                  - vi -
Information Technology Investment Management

      The DEA manages its IT investments through agencywide
replicable processes rather than through a single office. To illustrate
the processes, the DEA created a graphic illustration called
“The House” (see Appendix 5) showing how strategic planning,
budgeting, procurement, ITIM, quality management, IT security,
System-Development-Life-Cycle program management, and EA work
together to accomplish the DEA’s mission.

      Most DEA divisions (Operations, Intelligence, Financial
Management, Operational Support, and Inspection) manage major IT
systems and initiatives. The Office of Information Systems is
responsible for ensuring that the procedures and applications
developed by DEA divisions and their offices are in compliance with the
DEA-wide programs for IT strategic planning, IT capital planning and
investment control, and the EA. The divisions are responsible for
specific networks and applications supporting their respective
missions.

      In December 2001, in an effort to improve its IT investment
management practices and comply with the Department’s and other
statutory regulations, the DEA developed the “ITIM Process Guide and
Transition Plan.” The purpose of the plan is to better ensure that
technological resources are linked to the DEA mission and IT Strategic
Plan while providing a solid return on investment. According to the
plan, the DEA would introduce ITIM over three years, in three phases.
Each phase would correspond to one fiscal year: Phase 1 would focus
on the business and budget side of ITIM, while Phases 2 and 3 would
focus on the technical side. Also, in Phase 2, ITIM would integrate
security activities, and in Phase 3 ITIM would integrate EA activities.

       The DEA has attained a basic ITIM capability (Stage-2 maturity)
to establish the foundation for effective and replicable IT project-level
investment selection and control processes. Selection processes
ensure that the DEA has an effective methodology for approving only
those IT projects that are consistent with its needs and goals.
Effective control processes ensure that deviations from cost and
schedule baselines can be identified quickly.

        To ensure that the select and control processes were carried
out, the DEA chartered three investment boards: the Executive
Review Board, Business Council, and Compliance Council. The DEA
created a hierarchical approach to the operation of the investment

                                  - vii -
boards to ensure that no overlaps or gaps existed within the scope of
the boards’ authorities and responsibilities.

       Before the boards become involved in the ITIM process, the
Management Group works closely with the project and program
managers to ensure the completeness of the IT investment proposals
and monitor the performance of the investments after funding.1 The
proposals are first forwarded to the Business Council for review and
scoring based on the DEA mission and goals. Based on the results of
its review, the Business Council makes recommendations to the
Executive Review Board on the IT projects for which funding has been
requested. The Executive Review Board evaluates the
recommendations to ensure that the DEA’s mission and goals are
being met through the investments and then makes final
recommendations to the DEA Administrator. The Compliance Council
ensures that IT investments comply with legislative regulations and
DEA policy.

      The DEA has completed one selection cycle within the ITIM
process and as of March 2004 was in the process of completing a
second cycle for the 2006 budget year. We reviewed the minutes of
the Business Council meeting to determine if the DEA was actually
using its prescribed selection process. According to the minutes, the
program managers made presentations to the Business Council, which
were ranked and prioritized based on how the projects met mission
goals and objectives. The Business Council’s decision was forwarded
to the Executive Review Board for further evaluation and a funding
recommendation.

      To meet the requirement of the ITIM Framework, the DEA has
required each project to have a Project Management Plan (PMP). The
PMP documents the purpose, scope, and background of the project,
the project organization, and the management and technical approach.
The PMP also contains the project schedule and funding information. A
number of supplemental exhibits are included with the PMP, for
example: project sizing and documentation requirements, project
questionnaires, staff roles and responsibilities, the work breakdown
schedule, primary points of contacts, and a system risk matrix.




      1
        The Management Group within the Strategic Business Analysis Section
provides support, advice, and guidance on carrying out the ITIM process.
                                     - viii -
      In addition, the OMB requires all major IT investment plans to be
summarized and reported in the Exhibit 300.2 The Exhibit 300
captures cost, schedule, and performance data along with
earned-value, project assumptions, and risks. Further, the DEA
Investment Guide states that after a project’s concept proposal is
approved, a business case must be developed for each project for
further consideration. A business case consists of a project plan,
feasibility study, cost-benefit analysis, and concept of operations.
These documents are all part of the PMP.

       Our review of the DEA PMP determined that the DEA includes a
change control page to track all changes made to the project. We also
found that the DEA Investment Guide requires that, during the control
phase, investments are subject to periodic progress reviews to assess
cost management, schedule variance, and the realization of planned
benefits. According to the DEA, the investment boards’ activities are
evolving and will include more activities during the Control Phase in
2004. In addition, the DEA investment repository is to be updated to
reflect all changes and the results of the reviews. The EA, including
the investment repository, is made available to the investment boards
as part of the budgetary process to aid in making funding decisions.

      The development of the IT investment portfolio is an ongoing
process that includes decision-making, prioritization, review,
realignment, and reprioritization of projects that are competing for
resources and funding. The process for creating the portfolio should
ensure that each IT investment board manages investments according
to an organizational, strategic-planning perspective. The boards
should collectively analyze and compare all investments and proposals
to select those that best fit with the strategic business direction,
needs, and priorities of the entire organization.

      The DEA has documented the processes for selecting an
investment portfolio in its ITIM Process Guide. The ITIM Process Guide
provides policies and procedures that supplement and support
guidance from DOJ Order 2880.1A and OMB Circular A-11 regarding
investment analysis. The ITIM Process Guide contains detailed
processes for analyzing, selecting and maintaining the investment
portfolio. In addition, the DEA requires program managers to develop
an Exhibit 300, as explained in OMB Circular A-11, for all projects to
be submitted for final funding approval.

      2
        OMB Exhibit 300 is a format used to represent a strong business case, or
purpose, for the proposed investment to agency management and the OMB.

                                      - ix -
      We also found that the DEA has taken steps to ensure that
information used to select, control, and evaluate the portfolio are
captured and maintained for future reference. The DEA is maintaining
the minutes and action items electronically from investment boards’
meetings for retrieval at a later date. The DEA also uses an
Information Technology Investment Portfolio System (ITIPS), which
tracks the planning, acquisition, and operations of Automated
Information Systems and IT investments. The ITIPS also complies
with federal requirements such as the Government Performance and
Results Act, the Paperwork Reduction Act, and the Clinger-Cohen Act.
The DEA is assessing other tools to better capture the required
information about IT investments. The DEA’s ability to effectively
capture investment information on past and present IT decisions in
one system can translate into better decisions on IT investments
during control phase activities, as well as during the evaluation and
selection processes. The ITIM Framework states that IT information
systems that deliver information that is up-to-date, encompassing,
and presented in a useful format will enhance the decision process.

      In an effort to streamline the Business Council’s and the
Executive Review Board’s access to current information on the status
of DEA IT investments, the DEA is working to adopt a Departmental
database that would provide the Department’s CIO, component CIOs,
and project managers with current status information on major and
other highly visible IT systems in the Department’s portfolio. Once
implemented, the Business Council, Executive Review Board members,
and project managers may use the database to gain a quick reference
to determine the cost, schedule, and risks for investments contained in
the DEA IT portfolio.

      The DEA has made progress toward obtaining a mature ITIM
process. However, the DEA has not established a schedule for
completing the remaining stages of the ITIM process. Also, the DEA
has not provided formal training for investment board members to
ensure that they are familiar with portfolio evaluation and
improvement procedures. However, at the beginning of the meeting,
the DEA ITIM Management Group outlines for the Business Council the
process to be used for IT investment review. A formal training session
would enable board members to become more familiar with the
ranking categories and to understand what each category entails and
how each category is important to the evaluation of each IT
investment.


                                 -x-
      For the DEA to attain a mature ITIM process as described by the
ITIM Framework, the DEA must: 1) evaluate the performance of the
portfolio and use the information gained from the evaluation to
improve both current IT investment processes and the future
performance of the investment portfolio, 2) manage the succession of
information systems by replacing low-value systems with higher-value
systems, 3) optimize the investment process by ensuring that best
practices of other organizations are captured and incorporated within
the DEA’s IT investment process, and 4) use IT to strategically
transform work processes, while exploring new and more effective
ways of executing the DEA’s mission.

     The recommendations we made to the DEA are to:

     1.    apply metrics to measure EA progress, quality, compliance,
           and return on investment;

     2.    establish an organization policy for EA development and
           maintenance that meets the requirements of the EA
           Management Framework;

     3.    ensure that the completed EA undergoes configuration
           management;

     4.    ensure that the target architecture addresses security as
           outlined in the EA Program Plan;

     5.    complete and implement the remaining EA stages to
           ensure that IT investments are not duplicative, are well
           integrated, are cost effective, and support the DEA’s
           mission;

     6.    train members of the investment boards on the criteria for
           evaluating IT investments; and

     7.    establish a schedule for completing the remaining stages
           of the ITIM process to control and evaluate DEA’s IT
           investments.




                                - xi -
                               TABLE OF CONTENTS


BACKGROUND ............................................................................ 1
    Authorities ......................................................................... 1
    Prior Reports ...................................................................... 4
    Framework for Assessing IT Investment Management .............. 6
    Framework for Assessing and Improving Enterprise
     Architecture Management .................................................. 9
    The DEA’s Management of IT Infrastructure.......................... 12

FINDINGS AND RECOMMENDATIONS ........................................... 17

Finding 1: Enterprise Architecture .............................................. 17
      Synopsis of the Five Stages of the EA Management
      Framework ...................................................................... 17
      Stage 1 Completed ........................................................... 19
      Stage 2 Ninety-Percent Completed ...................................... 19
      Stage 3 Progress .............................................................. 29
      Attaining Stage 4 Maturity ................................................. 32
      Attaining Stage 5 Maturity ................................................. 35
      Conclusion ....................................................................... 36
      Recommendations ............................................................ 37

Finding 2: Information Technology Investment Management .......... 38
      Synopsis of the Five Stages of the ITIM Process .................... 38
      Stage 2 Completed ........................................................... 39
      Stage 3 Not Yet Completed ................................................ 62
      Attaining Stage 4 Maturity ................................................. 70
      Attaining Stage 5 Maturity ................................................. 71
      Conclusion ....................................................................... 72
      Recommendations ............................................................ 73

STATEMENT ON COMPLIANCE WITH LAWS AND REGULATIONS ....... 74

STATEMENT ON MANAGEMENT CONTROLS ................................... 75

APPENDIX 1:        OBJECTIVES, SCOPE, AND METHODOLOGY ............. 76

APPENDIX 2:        ACRONYMS......................................................... 78

APPENDIX 3:        THE THREE COMPONENTS OF THE ITIM PROCESS .... 79

APPENDIX 4:        SUMMARY OF THE EA MANAGEMENT FRAMEWORK’S
                   MATURITY STAGES, CRITICAL SUCCESS
                   ATTRIBUTES, AND CORE ELEMENTS....................... 81
APPENDIX 5:      DEA’S IT MANAGEMENT PROGRAM......................... 82

APPENDIX 6:      DRUG ENFORCEMENT ADMINISTRATION
                 ORGANIZATION CHART ........................................ 83

APPENDIX 7:      DEA PROGRESS THROUGH STAGE 3 OF THE
                 EA MANAGEMENT FRAMEWORK ............................. 84

APPENDIX 8:      FEDERAL ENTERPRISE ARCHITECTURE
                 FRAMEWORK ...................................................... 86

APPENDIX 9:      DEA PROGRESS THROUGH STAGE 3 OF THE
                 ITIM FRAMEWORK ............................................... 87

APPENDIX 10: THE DEA’S RESPONSE TO THE DRAFT REPORT ........ 90

APPENDIX 11: OIG, AUDIT DIVISION ANALYSIS AND
             SUMMARY OF ACTIONS NECESSARY TO
             CLOSE REPORT ................................................... 94
                                 BACKGROUND

Authorities

      The United States’ efforts to control drugs and narcotics, through
a number of offices and agencies, date back to 1915. In July 1973,
the President established the Drug Enforcement Administration (DEA)
within the Department of Justice (Department) as the successor to the
Bureau of Narcotics and Dangerous Drugs.

       The DEA’s mission is to: 1) enforce the controlled substances
laws and regulations of the United States; 2) bring to justice those
individuals or organizations involved in the growing, manufacturing, or
distributing of controlled substances destined for illicit traffic in the
United States; and 3) reduce the availability of illicit controlled
substances in the domestic and international markets. The DEA’s
primary responsibilities include the:

           •   investigation of major violators of controlled substance laws
               for prosecution;

           •   management of a national drug intelligence program in
               cooperation with federal, state, local, and foreign officials to
               collect, analyze, and disseminate strategic and operational
               drug intelligence information;

           •   seizure and forfeiture of assets derived from or used in illicit
               drug trafficking;

           •   enforcement of the Controlled Substances Act pertaining to
               the manufacture, distribution, and dispensation of legally
               produced controlled substances;3

           •   coordination and cooperation with federal, state, and local
               law enforcement officials on mutual efforts for drug
               enforcement and reduction of illicit drug availability in the
               United States; and


       3
         The Controlled Substances Act Title, II of the Comprehensive Drug Abuse
Prevention and Control Act of 1970, is the legal foundation of the government's fight
against the abuse of drugs and other substances. This law is a consolidation of
numerous laws regulating the manufacture and distribution of narcotics, stimulants,
depressants, hallucinogens, anabolic steroids, and chemicals used in the illicit
production of controlled substances.


                                        -1-
          •   management of programs associated with drug law
              enforcement counterparts in foreign countries and liaison
              with the United Nations, Interpol, and other organizations on
              international drug control programs.

      To accomplish its mission, the DEA’s headquarters in Arlington,
Virginia, oversees 237 domestic offices and 80 foreign offices in 58
countries. As of FY 2003, the DEA had approximately 4,680 special
agents and 4,949 support staff. From FY 2003 to FY 2004, the DEA’s
budget increased from $1.660 billion to $1.677 billion.4 Information
technology (IT) is essential to the DEA’s ability to properly manage its
operations and administrative functions. Funding for the DEA’s
IT-related projects increased from $201 million in FY 2003 to
$224 million in FY 2004.

       The Information Technology Management Reform Act of 1996
(known as the Clinger-Cohen Act) requires the head of each federal
agency to implement a process for maximizing the value of the
agency’s IT investments and for assessing and managing the risks of
its acquisitions. A key goal of the Clinger-Cohen Act is for agencies to
have processes in place to ensure that IT projects are being
implemented at acceptable costs and within reasonable timeframes,
and that the projects are contributing to tangible, observable
improvements in mission performance. In addition, the
Clinger-Cohen Act requires the head of each agency to develop,
maintain, and facilitate the implementation of architectures as a
means of integrating business processes and agency goals with IT.

      The Office of Management and Budget (OMB) Circular A-130
requires each federal agency to establish and maintain a capital
planning and investment control process for IT (also known as
Information Technology Investment Management, or ITIM). As
described more fully in Appendix 3, the ITIM process has three
components: select, control, and evaluate. The process integrates
the agency's strategic and financial management plans and its
acquisition and budget processes. Further, the process helps shape
the agency’s Enterprise Architecture (EA), which provides a strategy
that will enable the agency to support its current state and also act as
the roadmap for transition to its target environment.

      The following chart describes the fundamental phases of this IT
investment approach.



      4
          The budget excluded Federal Retirees and Health Benefit Costs.
                                        -2-
         Fundamental Phases of the IT Investment Approach




             Source: The U.S. Government Accountability Office (GAO).

      In August 2001, the Department of Justice Information
Technology Investment Management Process (Guide) was issued to
implement the Clinger-Cohen Act, OMB Circular A-130, and other IT
management requirements. The Guide is intended to help make
measurable improvements in mission performance and service delivery
to the public through the strategic application of IT.

       In doing so, the Guide uses the select/control/evaluate
methodology to implement the strategic and performance directives of
the Clinger-Cohen Act and other requirements affecting IT
investments. The Guide is also intended to promote a process that
builds on existing structures to provide maximum benefit across the
Department and with other federal agencies. This process is intended
to allow the Department to focus IT management on the Department’s
strategic missions. Further, the process establishes investment review
procedures that drive budget formulation and execution for IT
systems, and it provides the methods, structures, disciplines, and
management framework that govern the way IT is deployed
throughout the Department. The Guide applies to all IT projects in all
of the Department’s components, and requires each Departmental
component to:

     •    designate a component Chief Information Officer (CIO);

     •    establish an Executive Review Board that will approve the
          entire component IT portfolio and oversee the decisions made
          about specific investments; and


                                     -3-
      •    establish a component ITIM process that incorporates the
           Department’s ITIM process but is customized to function
           within the component’s unique environment.

     By January 2002, each component was required to submit to the
Department an ITIM plan incorporating the above items. The DEA
submitted its ITIM plan in December 2001. The JMD officially
approved the DEA’s Plan in March 2002. The 2002 approval letter
states that the DEA ITIM process conforms to the guidelines defined by
the GAO, the OMB, and the Department. It also states that the plan is
clear and comprehensive in its statement of the ITIM policy and its
definition of organizational roles, responsibilities, and deliverables.

       To date, the Department has not issued any formal guidance on
EA. However, according to the Assistant Director of the Department’s
Policy and Planning Staff within the Office of the Chief Information
Officer, the order providing such guidance should be released in the
first quarter of FY 2005. To begin developing its EA, the DEA used
guidance from the OMB, the Federal Chief Information Officer’s
Council, and the DEA’s Strategic IT Plan to develop its EA program.

Prior Reports

      We identified and reviewed six IT-related reports issued
since May 2000 by the GAO and the OIG that are applicable to
aspects of this audit.

      In May 2000, the GAO reported that although almost all
federal agencies had created some type of ITIM process, none
had implemented stable processes that address all three phases
of the select/control/evaluate approach.5 According to the GAO,
one barrier to implementing reliable ITIM has been the lack of
specific guidance on the required processes. The GAO further
stated that the select/control/evaluate approach provides sound
advice, but does not describe the organizational processes
involved.

      In February 2002, the GAO reported that the federal government
as a whole had not reached a mature state of EA management.6 In

       5
        The report is entitled Information Technology Investment Management: An
Overview of GAO’s Assessment Framework (GAO/AIMD-00-155) dated May 2000.
       6
         The report is entitled Information Technology, Enterprise Architecture Use
Across the Federal Government Can Be Improved (GAO-02-6) dated February 2002.

                                       -4-
particular, about 52 percent of federal agencies reported having at
least the management foundation that is needed to begin successfully
developing, implementing, and maintaining an EA, and about
48 percent of agencies have not yet advanced to this basic stage of
maturity. Specifically, the GAO determined that the DEA had achieved
Stage-2 maturity. At Stage-2 maturity, the DEA established a sound
EA management foundation with the assignment of roles and
responsibilities and the establishment of plans for developing EA
products.

      In March 2002, pursuant to the FY 2001 Government
Information Security Reform Act, the OIG issued three reports on
three of the DEA’s administrative and investigative IT systems.7 The
reports identified vulnerabilities with management, operational, and
technical controls. Significant vulnerabilities were noted in the
following areas:

      •   security policies, procedures, standards, and guidelines;

      •   system and network backup and restoration controls;

      •   password management;

      •   log-on management;

      •   account integrity management;

      •   system auditing management;

      •   physical controls;

      •   software upgrading procedures;

      •   personnel controls;

      •   contingency planning; and

      •   system configuration.

      The reports also stated that these vulnerabilities occurred
because the DEA either lacked sufficient guidance, did not fully enforce
compliance with existing security policies, did not develop a complete
set of policies to effectively secure the systems, or lacked timely and

      7
        The three systems audited were the El Paso Intelligence Center Information
System (02-09), Merlin System (02-13), and Firebird System (02-10).
                                      -5-
effective oversight from the Department and DEA management in
addressing known problems.

       In February 2004, pursuant to the Federal Information Security
Management Act (FISMA), the OIG issued a report on the DEA’s
system used to access and analyze classified information. The report
assessed the system’s compliance with FISMA and related information
security policies, procedures, standards, and guidelines. The report
identified weaknesses in the areas of management, operational, and
technical controls. The report also identified high-risk vulnerabilities
from unauthorized use, loss, or modification of data.

      The report stated that the vulnerabilities occurred because the
DEA did not always enforce its policies in accordance with current
Department policies and procedures for the system. Furthermore,
many of the vulnerabilities identified during this audit could have been
prevented if the DEA had followed up on and applied corrective actions
for similar vulnerabilities identified by the DEA and OIG in previous
years and applied them to the system.

       This report dealt primarily with the DEA’s management of
information security and not the agency’s handling of IT investments
or its EA. However, according to the CIO Practical Guide, an agency is
required to address information security within its EA. The DEA has
documented in its EA Program Plan that information security will be
addressed as a separate layer within the target architecture, which has
not yet been developed.

Framework for Assessing IT Investment Management

      To address the lack of guidance as reported in its May 2000
report, the GAO developed the IT Investment Management Framework
(ITIM Framework) to provide a common methodology for discussing
and assessing IT capital planning and investment management
practices at federal agencies.

      According to the GAO, the ITIM Framework enhances previous
federal IT investment management guidance by embedding the
select/control/evaluate approach within a framework that explicitly
describes the organizational processes required to implement sound
ITIM. Based on the best practices of leading organizations, the ITIM
Framework is a hierarchical model comprised of five maturity stages,
which represent steps toward achieving stable and mature investment
management processes. Each stage builds upon the lower stages and
enhances the organization’s ability to manage its investments. As an

                                  -6-
agency advances through these stages, the agency’s capability to
effectively manage IT increases. In March 2004, the GAO revised the
ITIM Framework to reflect the incorporation of EA into all five maturity
stages. Our assessment of the DEA’s IT investment management was
done using the revised framework.

     The following chart describes the five maturity stages of the IT
Framework.

                 The Five Stages of Maturity Within ITIM




      Source: The U.S. Government Accountability Office.

       With the exception of the first stage, each maturity stage is
comprised of critical processes that must be implemented and
institutionalized for the organization to satisfy the requirements of that
stage. These critical processes are further broken down into key
practices that describe the types of activities in which an agency
should be engaged to successfully implement each critical process. An
organization that has these critical processes in place is in a better
position to successfully invest in IT. The following chart describes the
ITIM Framework’s five stages and associated critical processes.




                                     -7-
      The ITIM Stages of Maturity With Critical Processes




            Source: The U.S. Government Accountability Office.

      As established by the ITIM Framework, each critical process is
comprised of five core elements that indicate whether the
implementation and institutionalization of a process can be effective
and replicated. The five core elements are: 1) purpose,
2) organizational commitment, 3) prerequisites, 4) activities, and
5) evidence of performance.

      With the exception of the “purpose” core element, each of the
other core elements contains key practices. The key practices are the
attributes and activities that contribute most to the effective
implementation and institutionalization of a critical process. The
following chart summarizes the inter-relationships of components in an
ITIM critical process.




                                    -8-
                 Components of an ITIM Critical Process




      Source: The U.S. Government Accountability Office.

Framework for Assessing and Improving Enterprise
Architecture Management

      Enterprise Architectures provide a clear and comprehensive
picture of an entity, whether an organization or a functional or mission
area that crosscuts more than one organizational unit. According to
the GAO, investing in IT without defining these investments in the
context of an EA often results in systems that are duplicative, not well
integrated, and unnecessarily costly to maintain and interface.

       An EA is made up of four components: Business Architecture,
Applications Architecture, Data Architecture, and Technical
Architecture. Together, these components provide a clear picture of
how an organization accomplishes its mission, goals, and objectives.
It also provides the baseline from which initiatives are planned and
later compared.

     Business Architecture focuses on “what” is done as opposed to
“who” does it. It captures the business itself, independent of any
technology, by describing the business areas and processes including
common information requirements. Business Architecture is based on
an agency’s strategic plan and is linked to the application, data, and
technology layers of the EA.

       Applications Architecture is the means by which the agency and
its personnel create, reference, update, or delete data acquired

                                     -9-
and collected by an agency. In essence, Application Architecture
provides the link between the data and the entities required to perform
the business functions, allowing an agency to fulfill its mission.

      Data Architecture describes the data an agency needs for
business operations and provides a data-related viewpoint. Data
Architecture consists of universally accepted definitions that an agency
uses to describe data. Completed Data Architecture provides an
overall picture of the information an agency collects, manipulates, and
stores in order to accomplish its mission.

      Technical Architecture provides the platform for many business
operations, the applications, and the enterprise data. Technical
Architecture is what allows the entities performing business functions
to use applications to manipulate the data necessary for an agency to
accomplish its mission.

      Since the late 1980s, EA Management Frameworks have
emerged within the federal government, beginning with the publication
of the National Institute of Standards and Technology framework in
1989. In 1992, the GAO issued EA guidance entitled Strategic
Information Planning: Framework for Designing and Developing
System Architecture. This EA Management Framework was intended
to:

      •   provide a basis for systematically determining information
          needs,

      •   identify and analyze information and data needs and
          relationships,

      •   identify and analyze alternative ways to satisfy information
          needs, and

      •   provide factors to be considered in arriving at the best way to
          satisfy information needs.

      Since 1992, other federal entities have issued EA Management
Frameworks, including the Department of Defense, the Department of
the Treasury, and the Federal Chief Information Officers Council
(CIO Council). Although the various frameworks use different
structures, the frameworks are fundamentally consistent in purpose
and content, and are being used today to varying degrees by many
federal agencies.


                                 - 10 -
      In April 2003, the GAO, in collaboration with the OMB and the
CIO Council, published a new EA Management Framework.8 The new
EA Management Framework provides measures for management to
assess progress toward the desired end and to take corrective action
to address unacceptable deviations.

      The GAO EA Management Framework consists of three basic
components: 1) five hierarchical stages of management maturity,
2) categories of attributes that are critical to the success in managing
any endeavor, and 3) elements of EA management that form the core
of the CIO Council’s Practical Guide.9

      Consistent with the ITIM Framework, the EA Management
Framework outlines five maturity stages. These stages include steps
toward achieving a stable and mature process for managing the
development, maintenance, and implementation of an agency’s EA. As
an organization improves its EA management capabilities, its EA
management maturity increases.

     With the exception of the first stage, each maturity stage is
composed of four critical success attributes that are critical to the
successful performance of any management function. They are:

       •   Demonstrates Commitment by the head of the enterprise
           providing support and sponsorship to achieve the success of
           the EA effort.

       •   Provides the Capability to Meet Commitment by
           developing, maintaining, and implementing EA through
           adequate resources, clear definitions of roles and
           responsibilities, and implementing organizational structures
           and process management controls that promote
           accountability and effective project execution.

       8
        The framework is entitled Information Technology, A Framework for
Assessing and Improving Enterprise Architecture Management, Version 1.1,
(GAO-03-584G) dated April 2003.
       9
         Federal Chief Information Officers (CIO) Council. A Practical Guide to
Federal Enterprise Architecture, Version 1.0, February 2001. This publication is also
known as the CIO Council’s Practical Guide, which is a step-by-step process guide
intended to assist agencies in defining, maintaining, and implementing EAs by
providing a disciplined and rigorous approach to EA management.




                                       - 11 -
      •   Demonstrates Satisfaction of Commitment to develop,
          maintain, and implement EA by producing EA plans and
          products.

      •   Verifies Satisfaction of Commitment by measuring and
          disclosing the extent to which efforts to develop, maintain,
          and implement the EA have fulfilled stated goals or
          commitments. Measuring performance allows for tracking
          progress toward stated goals, allows appropriate actions to
          be taken when performance deviates significantly from goals,
          and creates incentives to influence both institutional and
          individual behaviors.

       Collectively, these attributes form the basis by which an
organization can institutionalize management of any given function or
program, such as EA management. Each attribute contains core
elements that contribute to the effective implementation and
institutionalization of a critical success attribute. Appendix 4
summarizes the interrelationships of components in the EA
management process.

The DEA’s Management of IT Infrastructure

       The DEA seeks to manage its IT investments through
agencywide repeatable processes rather than a single office. To
illustrate the processes, the DEA has created a graphic illustration
called “The House” (see Appendix 5) showing how strategic planning,
budgeting, procurement, ITIM, quality management, IT security,
System-Development Life-Cycle program management, and EA work
together to accomplish the DEA’s mission. In reference to ITIM and
EA, The House shows how each phase of the ITIM process relates to
one or more of the architectural models. For example, by consulting
The House, a DEA staff member can see that in the Control Phase of
ITIM, the Data, Application, and Technology architectures should be
reviewed before making a decision about the status of the project.

      Reflecting the DEA’s decentralized ITIM, several divisions
manage major IT initiatives: the Operations Division, the Intelligence
Division, the Financial Management Division, the Operational Support
Division, and the Inspection Division. These divisions are responsible
for specific networks and applications supporting their respective
missions.

      The Office of Diversion Control, within the DEA’s Operations
Division, manages the design, development, and operation of the

                                - 12 -
infrastructure and applications supporting DEA programs with the
medical community and the chemical and pharmaceutical industries.
The DEA’s Intelligence Division manages the classified network and the
associated applications. The El Paso Intelligence Center, within the
Intelligence Division, develops and manages infrastructure and
applications that support customers at the federal, state, and local
levels. The Financial Management Division is responsible for managing
the DEA’s financial management systems.10

       The DEA Chief Information Officer is the Assistant Administrator
for the Operational Support Division, and reports to the DEA
Administrator. The Deputy CIO is the Deputy Assistant Administrator
for the Office of Information Systems and reports to the CIO. The
Deputy CIO is responsible for the design, deployment, and operation
of DEA’s general support networks, the majority of application systems
supporting DEA’s mission, and the supporting quality management
program. Staff in the Office of Information Systems work closely with
customers from virtually all DEA offices, both in headquarters and the
field (domestically and internationally). The Deputy CIO also manages
the DEA-wide programs for IT strategic planning, IT capital planning
and investment control, and EA.

       The Office of Information Systems coordinates with each office
to ensure that the procedures and applications developed by these
offices are in compliance with the DEA-wide programs for IT strategic
planning, IT capital planning and investment control, and the EA. The
Office of Investigative Technology is responsible for the systems that
support telecommunications intercepts.

       The Office of Security Programs in the Inspection Division is
responsible for DEA’s IT security program. This includes development
of policies and procedures, management of system certification and
accreditation, coordination with the Department of Justice, reporting
as required by the FISMA, and security monitoring of DEA networks.

      Recent Efforts

      The DEA has established three governing committees to facilitate
its EA and ITIM development processes: 1) the Executive Review
Board, 2) the Business Council, and 3) the Compliance Council.
Together, the three governing committees are responsible for ensuring
that the DEA’s EA and ITIM meet all federal and Departmental
requirements.

      10
         For a further breakdown of how DEA divisions are laid out, see the DEA
Organization Chart in Appendix 6.
                                      - 13 -
      The Executive Review Board is responsible for providing
leadership to implement a managed IT capital planning and investment
control process. The IT capital planning and investment process
includes the development and maintenance of an agencywide EA. The
DEA’s CIO and the DEA’s Chief Financial Officer (CFO) jointly chair the
Executive Review Board.

      The Business Council is responsible for ensuring that projects
and investments recommended by program managers are consistent
with the DEA’s mission, strategic plan, capital planning goals, EA, and
security policy. The Deputy Assistant Administrator, Office of
Information Systems, chairs the Business Council.

      The Compliance Council is responsible for evaluating IT
investments and the DEA’s EA to ensure compliance with legislative
regulations and DEA policy. The Chief of the Strategic Business
Management Section, Office of Information Systems, who is also the
Chief Architect, chairs this committee.

       In accordance with OMB guidance and best practices as outlined
by the Federal CIO Council, the DEA has begun the construction of an
EA. At the time of our audit, the DEA had completed a high-level
“as is” EA. A high-level “as is” EA is a representation of current
capabilities and technologies and is expanded as additional segments
are defined.

      The DEA’s high-level “as is” EA defines four architectural layers:
1) the business processes to accomplish the mission, 2) the
information, 3) the software applications supporting the business, and
4) the technology necessary to perform the mission. The DEA’s CIO
has approved the DEA’s high-level “as is” EA.

      As stated previously, in December 2001 the DEA developed the
“ITIM Process and Transition Plan” in an effort to improve its IT
investment management practices and comply with the Department’s
and other statutory regulations. The purpose of the plan is to better
ensure that technological resources are linked to the DEA mission and
IT Strategic Plan while providing a solid return on investment.
According to the plan, the DEA would phase in ITIM over three years,
in three phases ending in FY 2004. Each phase would correspond to
one fiscal year. Phase 1 would focus on the business and budget side
of ITIM, while Phases 2 and 3 would focus on the technical side. Also,
in Phase 2 ITIM would integrate security activities, and in Phase 3 ITIM
would integrate EA activities.


                                 - 14 -
      The following excerpts from the plan provide an overview of how
the DEA’s select, control, and evaluate processes for ITIM are intended
to operate.

       Select

       During the Select Phase, new projects are introduced to the
       Executive Review Board for consideration. A program manager
       prepares a Concept Proposal for funding consideration by the
       Executive Review Board.11 When completed, the program
       manager sends the Concept Proposal to the ITIM Management
       Group to be processed through the Business Council and the
       Executive Review Board. If the Executive Review Board
       determines that the concept has merit, then the program
       manager may spend an initial amount of money to prepare a
       business case for inclusion in the budget process.12

       Control

       During the Control Phase, funded investments are under
       development. A program manager submits monthly status
       reports to the ITIM Management Group for analysis. These
       reports include expenditures and work completed to date. The
       ITIM Management Group collects this information for the entire
       portfolio, analyzes the data, and identifies investments that
       might be at risk. The ITIM Management Group follows up with
       at-risk investments to determine if problems exist and how the
       problems should be solved.

      Evaluate

       During the Evaluate Phase, all IT investments currently in
       operation or maintenance and in need of continued funding are
       monitored to ensure that the investment is appropriately
       managed and continues to produce expected results and mission
       benefits. Periodic progress reviews are conducted to evaluate
       the investment’s continued value to mission benefits and
       alignment with EA direction. The Business Council

       11
          The Concept Proposal is a 2- to 5- page document that presents a
high- level concept for a new investment. At this stage, the document represents an
idea that the program manager wishes to bring to the attention of the Executive
Review Board for funding consideration.
       12
          The funding for preparing the business case is not included as a line item
within the DEA’s approved budget. The program manager must find alternative
resources to produce the business case.
                                        - 15 -
      predetermines which investments are candidates for retirement
      or upgrade, and passes this recommendation to the Executive
      Review Board, which uses this information for funding decisions.

      The JMD officially approved the DEA’s Plan in March 2002. The
March 2002 approval letter states that the DEA ITIM process conforms
to the guidelines defined by the GAO, the OMB, and the Department.
Further, it states that the Plan is clear and comprehensive in its
statement of the ITIM policy and its definition of organizational roles,
responsibilities, and deliverables.




                                 - 16 -
                FINDINGS AND RECOMMENDATIONS

Finding 1: Enterprise Architecture

      The DEA is in the process of developing its EA, scheduled
      to be completed in September 2004, that should provide a
      blueprint that will enable the DEA to more effectively and
      efficiently manage its current and future IT infrastructure
      and applications. The DEA has completed much of its EA,
      with the exception of developing a target architecture and
      a transition plan to accomplish the target architecture.
      The DEA has established a foundation consistent with the
      EA Management Framework to build its EA program. The
      DEA has assigned roles and responsibilities for developing
      the EA, committed resources, and established plans for
      completing the remaining EA stages. In addition, the DEA
      has developed a general, high-level description of its
      existing, or “as is,” architecture. The DEA is effectively
      managing its EA under the structure completed to date.
      However, without a completed EA, any organization
      assumes some degree of risk that it might invest in IT that
      is duplicative, not well-integrated, costly, or not supportive
      of the agency’s mission. In continuing to develop its EA,
      the DEA is taking steps to mitigate such risks. By
      completing its EA, the DEA will minimize the risks even
      further and provide a realistic vision of its future IT
      requirements.

Synopsis of the Five Stages of the EA Management Framework

       To implement the five stages of the EA Management Framework,
the DEA must also complete four critical success attributes:
1) demonstrates commitment, 2) provides the capability to meet the
commitment, 3) demonstrates satisfaction of commitment, and
4) verifies satisfaction of commitment. Each attribute contains core
elements that contribute to the effective implementation and
institutionalization of the critical success attribute. Collectively, these
attributes form the basis by which an organization can institutionalize
management of any given function or program.

      Stage 1. At this stage, there are no core elements to be
completed. However, the DEA must create an awareness of the value
of developing and using an EA by providing the management



                                  - 17 -
foundation necessary for successful EA development as defined in
Stage 2. 13

     Stage 2. To complete this stage, the DEA needs to: 1) assign
EA management roles and responsibilities; 2) commit the resources –
people, processes, and tools – necessary to develop an architecture;
and 3) establish plans to develop EA products and measure program
progress and EA product quality. As of April 2004, the DEA had
completed about 90 percent of the EA Management Framework criteria
for meeting the Stage-2 level of maturity.

      Stage 3. The DEA is moving from building the EA management
foundation to developing EA products for Stage 3. To complete
Stage 3, the DEA must: 1) establish organization policy for the EA
development; 2) ensure that EA products are under configuration
management; 3) ensure that EA products describe both the current
and target environments of the agency; and 4) ensure that progress
against EA plans is measured and reported.14 As of April 2004, the
DEA had completed one EA product – the current architecture.

      Stage 4. Additional work must be completed before the EA is
used as intended in Stage 4 – to drive sound IT investments that are
consistent with the DEA’s goals and missions. To complete the stage,
the DEA needs to: 1) establish policy for maintaining the EA, and
2) complete the EA including the current and target architectures
along with the transition plan to get from the current to the targeted
environments. The completed EA must be described in terms of
business, data, application, and technology and the descriptions must
address security; and it must be approved by the DEA’s CIO and the
Executive Review Board. The DEA is working on adding more detail to
the high-level description of its current EA and developing the target
architecture, for a completion date by September 2004.

      Stage 5. To reach Stage 5 maturity, an agency is using the EA
as intended – to drive IT investments and ensure systems’
interoperability. The DEA has not completed the EA Management
Framework criteria for Stage 5, however, once Stage 4 has been
completed in September 2004, the DEA will then be in a position to



      13
        See Appendix 7 for a table showing DEA’s EA progress through Stage 3 of
the EA Management Framework.
      14
         Configuration management is the process of managing changes to IT
systems or hardware.

                                     - 18 -
implement its EA as required in Stage 5. The status of each EA
Management Framework stage in the DEA follows.

Stage 1 Completed

      The DEA has created an awareness of the value of developing
and using the EA by providing the management foundation necessary
for successful EA development as defined in Stage 2. Specifics about
how the DEA accomplished this are discussed in detail in Stage 2.

Stage 2 Ninety-Percent Completed

       The DEA has completed eight of the nine core elements required
by the EA Management Framework and has achieved three of the four
critical attributes. The remaining attribute to be completed is verifying
that management’s commitment to the establishment of the EA has
been satisfied through the development of measures for EA progress,
quality, compliance, and return on investment.

Critical Attribute 1: Demonstrates Commitment

      To complete the first critical attribute for Stage 2 of the EA
Management Framework, the DEA demonstrated its commitment to
building an EA management foundation by establishing two core
elements:

      1) to ensure the existence of adequate resources, and

      2) to establish DEA-wide committees responsible for directing,
         overseeing, and approving the EA.

       Adequate Resources. According to the EA Management
Framework, obtaining adequate resources includes: 1) identifying and
securing the funding necessary to support EA activities; 2) hiring and
retaining the right people with the proper knowledge, skills, and
abilities to plan and execute the EA program; and 3) selecting and
acquiring the right tools and technology to support EA activities.

      The DEA initiated the development of an EA program in 2002
and estimates that it will cost approximately $2.7 million to complete
the EA by September 2004. The following table shows the DEA’s
expenditures as of FY 2003 to develop an EA and the estimated cost to
complete the EA to Stage 5, or full maturity.



                                 - 19 -
                            EA Development Cost

                         Actual Cost            Estimated
          Cost            Through               Remaining       Estimated
        Element             FY 03                  Cost         Total Cost
      Agency
      Personnel               $188,000            $417,000         $605,000
      Development
      Contractor              $345,000           $1,727,000 $2,072,000
      Tools                         $0              $30,000    $30,000
      Training                  $3,500              $10,000    $13,500
      Total                  $536,500           $2,184,000 $2,720,500

       Source: The Drug Enforcement Administration.

      In FY 2002, the DEA spent $667,000 from its base
appropriations for EA development. In FY 2003 the DEA requested an
additional $400,000 to continue developing EA, but the funding was
not approved. According to the DEA’s EA Chief Architect, approval of
the requested amount would have allowed the DEA to complete a
detailed description of the existing architecture more quickly.15 She
also stated that the DEA was able to contract out the EA development
project using funds from other sources.

       The DEA has allocated 4.25 full time equivalent staff —
but assigned 3.25 full time equivalent staff (.5 managers, .5 staff
members, and 2.25 contractors) — in support of EA efforts and
completion of the current EA. The Deputy Assistant Administrator of
the DEA’s Office of Information Systems, which is the office
responsible for developing the DEA’s EA, is currently serving as the
Chairman of the Department’s EA committee. The Chief Architect, who
established the foundation for the DEA’s EA, had transferred to the
DEA from the Department’s Justice Management Division where she
had dealt with technology issues. The DEA’s Program Office has two
senior analysts and one junior analyst assigned to work on completing
the EA.16 Additionally, the DEA hired a contractor in October 2003 to
aid in the completion of the EA.


       15
         The Chief Architect retired in March 2004, and an Acting Chief Architect was
designated.
       16
        The Program Office was established within the Office of Information
Systems to oversee the development and maintenance of the EA.

                                       - 20 -
      In addition to funding and human resources, the DEA has
acquired tools and technology to support its EA activities. The DEA
uses the Popkin System Architect (Popkin) as its automated EA tool.17
According to the Chief Architect, one reason the DEA chose Popkin is
that the Department is also using Popkin and the future integration of
the DEA’s EA with the Department’s EA may be more easily achieved.
Because the DEA has just recently begun using the Popkin tool, we did
not assess its effectiveness in clearly and completely documenting the
DEA’s EA, but we agree that using the same tool as the Department
should aid in the future integration of the agency’s EA with the
Department’s EA.

      EA Governing Committees. The EA Management Framework
states that an agency should assign responsibility for directing,
overseeing, and approving architectures to a committee or group with
cross-representation from throughout the enterprise. Establishing
agencywide responsibility and accountability is important to
demonstrate the agency’s commitment to building a management
foundation for the EA and obtaining buy-in from across the agency.
Accordingly, the committee or group should include executive-level
representatives from each line of the business, and these executive
representatives should have the authority to commit resources and
enforce decisions within their respective organizational units.

      To meet the requirements of the EA Management Framework,
the DEA established three governing committees: 1) the Executive
Review Board, 2) the Business Council, and 3) the Compliance Council.
Together, the three governing committees are responsible for ensuring
that the DEA’s EA meets all federal and Departmental requirements.

      The Executive Review Board is responsible for providing
leadership to implement a managed IT capital planning and investment
control process. The IT capital planning and investment process
includes the development and maintenance of an agencywide EA.
The Executive Review Board has the authority to recommend or
approve:

       •    the continuation, modification, or termination of funding for IT
            investments;

       •    the delay of a subsequent activity in a project plan;

       •    corrective action based on the results of the board’s review;

       17
        The Popkin System Architect is an enterprise architecture tool that stores
and organizes the agency’s overall EA information.
                                       - 21 -
      •    members of the Business Council; and

      •    changes to the DEA’s EA and its ITIM process.

      The Executive Review Board’s responsibility to the EA
development consists of approving the completed EA and any
subsequent changes. Consequently, it would not meet until the EA is
completed. At this point of the EA development process, the EA
Program Office is responsible for ensuring the integrity of the EA in
meeting the DEA’s mission and goals.

      The DEA’s Chief Information Officer and the DEA’s CFO jointly
chair the Executive Review Board. In our judgment, the membership
of the Executive Review Board demonstrates an agencywide leadership
commitment to the EA process.18 The Executive Review Board
membership consists of the following:

      •    Assistant Administrator, Operational Support Division, and
           CIO.

      •    Chief Counsel, Office of the Chief Counsel.

      •    Deputy Assistant Administrator, Office of Diversion Control.

      •    Chief Financial Officer, Financial Management Division.

      •    Assistant Administrator, Human Resources.

      •    Assistant Administrator, Intelligence Division.

      •    Chief Inspector, Inspections Division.

      •    Chief, Office of Congressional and Public Affairs.

      •    Special Agent-in-Charge, Office of Training; and

      •    Special Agent-in-Charge, Advisory Council.

      The Business Council’s primary responsibility is to ensure that
projects and investments recommended by program managers are
consistent with the DEA’s mission, strategic plan, capital planning
goals, EA, and security policy. The Business Council members function

      18
         For a further breakdown of how DEA divisions are laid out, see the DEA
Organization Chart in Appendix 5.
                                      - 22 -
as the working level experts for the ITIM process by providing
business expertise specific to their respective business unit. The
Business Council’s membership is at the Grade-15 level and includes a
representative from every organizational unit within the DEA. The
Deputy Assistant Administrator, Office of Information Systems, chairs
the Business Council.

      The Compliance Council is responsible for evaluating IT
investments and the DEA’s EA to ensure compliance with legislative
regulations and DEA policy. The Compliance Council consists of
members whose day-to-day responsibilities involve a compliance area.
The members work to ensure compliance with such areas as the
Federal Enterprise Architecture, the Government Performance and
Results Act, and the Government Information Security Reform Act.
The Chief of the Strategic Business Management Section, Office of
Information Systems chairs this committee.

Critical Attribute 2: Provides Capability to Meet Commitment

     The completion of the second critical attribute for achieving
Stage 2 requires the DEA to establish three core elements:

      1) to establish a program office responsible for EA development
         and maintenance;

      2) to appoint a Chief Architect; and

      3) to develop the EA using a framework, methodology, and
         automated tool.

      The DEA has implemented the three core elements above to
achieve Critical Attribute 2.

      EA Program Office. The EA Management Framework states that
EA development and maintenance should be managed as a formal
program. Accordingly, responsibility for EA management should be
assigned to an organizational unit and not an individual. The
CIO Practical Guide, discussed in the Background section of this report,
states that the primary responsibility of the EA Program Office is to
ensure the success of the EA program.

      In response to the Framework and the CIO Practical Guide, the
DEA reorganized its Office of Information Systems to include a
Strategic Business Analysis Section as the EA Program Office


                                 - 23 -
(Program Office). The Program Office is responsible for the
development and maintenance of the DEA EA.

       To accomplish its responsibility, the Program Office coordinates
with offices throughout the DEA as well as external IT organizations;
assists DEA customers in developing their concepts and plans for the
application of IT to their business processes; and also assists
customers with the ITIM process. Further, the Office of Information
Systems proposed a staffing level that would enable the Program
Office to complete its work. The following table shows the Strategic
Business Analysis Section’s proposed staffing level, and the staffing
level as of February 2004.

                         Proposed Staffing for the
                    Strategic Business Analysis Section

                                                       Proposed        Staffing
                                                        Staffing       Level As
        Title                  Series/Grade              Level         Of 2/04
    Section Chief
    Supervisory
 Computer Specialist            GS-2210/15                  1               1
      Unit Chief
    Supervisory
 Computer Specialist           GS-2210/14                   2               1
 Computer Specialist           GS-2210/13                   4               2
 Management Analyst          GS-0301/9/11/12                2               1
     Contractors                                            7               4

            Total                                          16               9

       Source: The Drug Enforcement Administration.

      As the above table shows, the section’s staff consists of a chief,
three computer specialists, and one management analyst. Two of the
three computer specialists on board were assigned to help complete
the EA. As of April 2004, seven contractor personnel were allocated to
the section, but only four had completed the security clearance
process and were on board.

       Even though the proposed staffing level for the section was not
fully achieved, the DEA began developing the EA and implementing the
ITIM process.19 As stated previously, the DEA has documented its

       19
           The DEA’s progress in the implementation of the ITIM process is discussed
in Finding 2 of this report.
                                       - 24 -
high-level current architecture outlining the agency’s business areas,
applications, data, and technology. According to the DEA’s
Chief Architect, not having the full complement of staff slowed
progress toward completing the EA.

      Chief Architect. The CIO Practical Guide and the EA
Management Framework state that an agency should appoint an
executive as Chief Architect, who is responsible and accountable for
the EA, and whose background and qualifications include both the
business and technology areas of the organization. Additionally, the
Chief Architect is responsible for ensuring the integrity of the EA
development process and for the content of the EA products.

      The DEA appointed the head of the Strategic Business Analysis
Section as the Chief Architect. As discussed previously, this person
transferred from the Department’s Justice Management Division where
she participated in business (including budgeting) and technology
issues. The Chief Architect is responsible for:

      •    developing, implementing, and managing the DEA’s EA;

      •    planning the transition from the current to the future EA, and
           monitoring the implementation of the transition plan;

      •    monitoring and evaluating whether IT investments are
           consistent with the current and the future EA; and

      •    developing processes, procedures, guidance, tools, and
           templates to carry out the DEA’s EA program.

      Framework, Methodology, and Automated Tool. The DEA uses a
combination of two frameworks to develop its EA. One framework is
known as the Federal Enterprise Architecture Framework (FEAF), and
the other is the Zachman Framework – named after John Zachman, a
recognized leader in the EA field.

     The FEAF is intended to provide federal agencies with a common
way of constructing their respective architectures.20 According to the
GAO, the FEAF facilitates the coordination of common business
processes, technology insertion, information flows, and system


      20
       The federal CIO Council published the Federal Enterprise Architecture
Framework in September 1999. See Appendix 8 for a graphic illustration of the
FEAF.

                                      - 25 -
investments among federal agencies. The FEAF describes an
approach, including models and definitions, for developing and
documenting architecture descriptions for different segments of the
federal government. Similar to the Zachman Framework, the FEAF’s
proposed model describes an entity’s business, data necessary to
conduct the business, applications to manage the data, and technology
to support the applications.

      The Zachman Framework provides six perspectives, or
viewpoints, on how an agency operates: 1) the strategic planner,
2) the system user, 3) the system designer, 4) the system developer,
5) the subcontractor, and 6) the system itself. The Zachman
Framework also provides six models associated with each of the six
viewpoints: 1) how the agency operates, 2) what the agency uses to
operate, 3) where the agency operates, 4) who operates the agency,
5) when the agency’s operations occur, and 6) why the agency
operates.

      The DEA saw benefits in both frameworks and combined these
two concepts in developing its EA. However, the DEA has been more
concerned about ensuring that the EA aligns with the FEAF since that
framework will eventually be used by the entire federal government.

      The DEA’s methodology to develop its EA is a three-phase
approach.

Phase 1. Includes documenting, at a high-level, what currently exists
within the DEA in terms of business areas, applications, data, and
technology.

Phase 2. Includes 1) providing more detail to the current
architecture, 2) goals and objectives stated in the Department and the
DEA strategic plans, 3) performance measures, 4) aligning the DEA’s
architecture with the Federal Enterprise Architecture reference models,
and 5) aligning the architecture with the DEA’s capital planning
process.

Phase 3. Includes the establishment of the target architecture,
including security compliance and the development of a transition
plan.

      The DEA completed Phase 1 of the EA development in
December 2002. In February 2003, the DEA’s CIO submitted the
high-level description of the DEA’s current EA to the three DEA IT
governing boards for inclusion in the budget process. In March 2004,

                                - 26 -
the DEA told us that its contractor completed Phase 2, and the DEA
was in the process of reviewing the contractor’s work for compliance
with the FEAF requirements. As of April 2004, the DEA had not begun
Phase 3 of the EA project.

      An EA automated tool serves as the storehouse of the
architecture products. Architecture products include the current and
target architectures and the transition plan. The choice of tool is
based on the agency’s needs and the size and complexity of the
architecture. As stated previously, the DEA has chosen the Popkin
automated tool to store its architecture products. The DEA chose
Popkin because the Department is also using Popkin and the future
integration of the DEA’s EA with the Department’s EA may be more
easily achieved. Because the DEA has just recently begun using the
Popkin tool, we did not assess its effectiveness in clearly and
completely documenting the DEA’s EA, but we agree that using the
same tool as the Department should aid in the future integration of
both EAs.

Critical Attribute 3: Demonstrates Satisfaction of Commitment

      The completion of the third critical attribute for achieving
Stage 2 requires the DEA to establish an EA Program Plan that
includes the following core elements:

      1) describes both the current and the target architectures as
         well as a transition plan;

      2) describes the current and target architectures in terms of
         business, performance, information, application, and
         technology; and

      3) determines the application of security within each
         architectural area.

      We evaluated the DEA’s EA Program Plan and found that the
plan complies with the criteria established in the framework, and
demonstrates completion of the third critical attribute.

      Current and Target Architectures, and Transition Plan. The
CIO Council requires that agencies have a written EA Program Plan.
The plan should describe the steps to be taken and the tasks to be
performed in managing the EA program. The plan should also make
provision for the development of architectural descriptions of how the
organization currently operates (the current), how it intends to operate

                                  - 27 -
in the future (the target), and how it will transition from the current to
the target environment (the transition).

     The DEA has developed a plan in accordance with the CIO
Council’s guidelines. According to the DEA Program Plan, the DEA will:

      •   establish a DEA-wide current architecture that is consistent
          with the OMB EA reference models and the Department’s EA
          program,

      •   develop a component-based target architecture focused on
          the delivery of enterprise-wide and business-process level IT
          solutions,

      •   establish a target architecture-driven ITIM and IT Strategic
          Planning process, and

      •   establish a transition plan.

       Security. In the Program Plan, the DEA states that the
requirements associated with information security are guided by
legislation, including the Federal Information Security Management
Act. As a result, the security elements of the EA will be embedded
within the target EA as a specific EA layer.

      The plan requires the DEA’s EA to comply with EA regulations
and guidance available to federal agencies. The DEA is using various
guidance to complete the EA including: Annual Performance Plan,
Strategic Plan, IT Strategic Planning, IT Capital Planning, EA Analyses
Reports, Communications Plan, IT Governance Plan, and Transition
Plan. According to the DEA, the guidance is used in establishing a
balance between the detail of the architecture and cost constraints of
the architecture program.

      Detailed analyses of the current architecture will allow the DEA
to identify areas in which applications could be combined and where
future investments are necessary. The results of these analyses form
the basis for the target architecture. As stated previously, the DEA
has completed a high-level description of its current architecture and is
working on adding more detail to the current architecture and
beginning to develop the high-level target architecture. The current
architecture describes to the DEA the current state of business
operations and information exchange within and across the
organization, but it does not show where the DEA wants to go in the
future.

                                   - 28 -
Critical Attribute 4: Verifies Satisfaction of Commitment

      The completion of the fourth critical attribute to achieve Stage 2
requires the DEA to ensure that the Program Plan calls for the
following core element:

      1) developing metrics for measuring EA progress, quality,
         compliance, and return on investment.

      The measurement of EA progress, quality, and compliance is
necessary to ensure that the EA meets the targeted milestones and is
compliant with the necessary regulatory requirements. Measuring
return on investment would tell the DEA what benefits are realized by
the development of the EA in relation to the cost of the EA
development.

      Developing Metrics for Measuring EA Progress. The DEA has not
yet established metrics for measuring EA progress, quality,
compliance, and return on investment. The DEA Chief Architect told
us that these metrics would be developed at a later unspecified date.

      EA Stage 2 Summary

     The DEA has completed nearly 90 percent of Stage 2 and has
made progress toward attaining Stage 3 as required by the EA
Management Framework.

Stage 3 Progress

       In Stage 3, the DEA must implement six core elements within
the four critical attributes required by the EA Management Framework.
The DEA has partially completed one of the four critical attributes,
critical attribute 3, which requires the DEA to ensure that the current
and target architectures are described in terms of business, data,
application, and technology.

Critical Attribute 1: Demonstrate Commitment

     To complete the first critical attribute for Stage 3 of the EA
Management Framework, the DEA must establish the following core
element:

      1) develop a written and approved organization policy for the EA
         development.


                                 - 29 -
       According to the EA Management Framework, an organization
policy is an important means for ensuring agencywide commitment to
developing the EA and for clearly assigning responsibility for doing so.
The architecture policy should define the scope of the architecture as
including a description of the current and target architecture, as well
as a transition plan that supports the move from the current to the
target architecture. Additionally, the policy should provide for having
processes for EA oversight and control, review, and validation. The
policy should also address the purpose and value of an EA; its
relationship to the organization’s strategic vision and plans; and its
relationship to capital planning process.

       The DEA has not established a formal written and approved
organization policy for the EA development. However, the DEA has
established the required elements of the EA development policy in
different ways.

      As described in Stage 2, the DEA established the IT governing
boards with representation from all DEA business areas to ensure
agencywide commitment to EA development. The DEA also
established the EA Program Office with responsibility for developing
the EA. In addition, the EA Program Management Plan – discussed in
Stage 2 – outlines the scope of the architecture including a description
of the current and target architecture, as well as the transition plan.
The EA Program Management Plan also addresses EA oversight,
control, review, and validation responsibilities. Further, the DEA’s CIO
outlined the value of the EA, its relationship to the organization’s
strategic vision and plans, and the capital-planning process in the
DEA’s IT Strategic Plan. However, having the EA development
information together in the form of an organization policy will allow
any DEA staff member to consult one document for information
concerning the development and implementation of the DEA EA.

 Critical Attribute 2: Provides Capability to Meet Commitment

     The completion of the second critical attribute for achieving
Stage 3 maturity requires the DEA to establish the following core
element:

      1) ensure that EA products are under configuration
         management.21



      21
         Configuration management is the process of managing changes to IT
systems or hardware.
                                     - 30 -
      As of May 2004, the DEA current architecture had not met this
standard. The DEA’s Chief Architect told us that configuration
management within the DEA is evolving and the DEA is moving toward
establishing an office to manage it.

      At the time of our audit, the DEA was in the process of
establishing a Quality Management Unit within the Office of
Information Systems. The Quality Management Unit will be
responsible for configuration management of the DEA IT infrastructure
including the EA. The EA is intended to reflect the impact of ongoing
changes in business function and technology on the agency, and
support capital planning and investment management in keeping up
with these changes. Consequently, the completed EA – current
architecture, target architecture, and transition plan – need to be kept
accurate and current.

Critical Attribute 3: Demonstrates Satisfaction of Commitment

     The completion of the third critical attribute for achieving
Stage 3 maturity requires the DEA establish three core elements:

      1) ensure that EA products describe or will describe the current
         and target agency environments, as well as the transition
         plan;

      2) ensure that the current and target environments are
         described in terms of business, data, application, and
         technology; and

      3) ensure that the business, data, application, and technology
         descriptions address or will address security.

       Current and Target Architectures, and Transition Plan. According
to the EA Program Plan, EA products will describe the current and
target agency environments as well as the transition plan. As stated
earlier, the DEA has not completed all components of the EA.
However, it has completed a high-level description of its existing
architecture and has plans to complete the target architecture and
transition plan by September 2004.

      The EA Program Plan also states that EA products – current and
target architectures and the transition plan – will be described in terms
of business, data, application, and technology. To show its
commitment to the plans outlined in the EA Program Plan, the DEA’s


                                 - 31 -
high-level description of the existing architecture was described in
terms of business, data, application, and technology.

     Security. In the EA Program Plan, the DEA stated that security
would be addressed as a specific layer within the target architecture.

Critical Attribute 4: Verifies Satisfaction of Commitment

     The completion of the fourth critical attribute to achieve Stage 3
maturity requires the DEA to establish the following core element:

      1) ensure that progress against EA plans is measured and
         reported.

     As stated in Stage 2, the DEA has not established metrics for
measuring EA progress. The measurement of such progress against
EA development plans is necessary to ensure that the development
meets targeted milestones.

      EA Stage 3 Summary

      The DEA has made limited progress toward attaining Stage 3
maturity of the EA Management Framework. The DEA has developed
one EA product, the high-level current architecture. The high-level
current architecture meets the requirements of the EA Management
Framework in terms of the business, data, application, and technology
areas. However, the DEA lacks a written and approved policy for EA
development, implementation, and maintenance. In addition, the DEA
must ensure that when completed, all EA products undergo
configuration management and that the target architecture addresses
security as outlined in the EA program plan.

Attaining Stage 4 Maturity

      To complete Stage 4, an agency must: 1) establish policy for
maintaining the EA, and 2) complete the EA including the current and
target architectures along with the transition plan to get from the
current to the targeted environments. The completed EA must be
described in terms of business, data, application, and technology; and
the descriptions must address security and be approved by the agency
CIO and the committee or group representing the agency or the
investment review board. The DEA has not established a formal
written organization policy for maintaining the EA. However, the
document creating the EA Program Management Office outlines the
procedures for maintaining the EA.

                                 - 32 -
      To attain Stage 4 maturity, additional work must be completed
before the EA is used as intended – to drive sound IT investments that
are consistent with the DEA’s goals and missions. Currently, the DEA
is working on adding more detail to the high-level description of its EA
and developing the target architecture. The following chart shows the
DEA’s timeline for completing its EA by September 2004.


                                October 2003 – January 2004                January 2004 –
                                                                            March 2004                   March 2004 – Sept 2004

                                             Develop and Populate Enterprise Architecture Management System (Popkin)
  DEA Existing Repository




                                                                                               Budget Process
                                                                                               Budget Process
                                                          Baseline
                                                           Baseline
                            Business
                             Business     DEA Offices   Architecture
                                                        Architecture
                            Reference
                            Reference
                              Model                     (Phase One)
                                                         (Phase One)
                              Model

                                                          Business
                                          DEA Offices                                                     DEA
                                                                                                          DEA
                                                                                                         Target
                                                                                                         Target
                            Technical
                            Technical                                                                 Architecture
                                                         Performance                                  Architecture
                            Reference
                            Reference                                                                  Version 1
                                                                               Identify                 Version 1
                             Model
                             Model                                             Identify               2004 --2007                   DEA
                                                                                                                                     DEA
                                                                              Enterprise               2004 2007
                                                                              Enterprise                                          Transition
                                                                                                                                  Transition
                                          DEA Offices    Stakeholders           Wide
                                                                                 Wide                                               Plan
                                                                                                                                     Plan
                                                                             Opportunities
                                                                             Opportunities
                                                         Technology
                             Service
                             Service
                            Reference
                            Reference
                             Model                                                                        GISRA
                                                                                                          GISRA
                              Model      DEA Offices          Security
                                                                                                        (FISMA)
                                                                                                         (FISMA)
                                                                                                       Compliance
                                                                                                       Compliance




  Propose a Governance Structure                                                   Establish Governance Structure

                            Source: The Drug Enforcement Administration.

                            Target Architecture

      The DEA’s target architecture will define the vision of the DEA’s
future business operations and supporting technology and will also
describe the desired capability and structure of the business
processes, information needs, and IT infrastructure at some point in
the future. Just as the current architecture captured the existing
business practices, functionality, and information flows, the target
architecture will reflect what the DEA needs to evolve its information
resources.

                            The target architecture, when completed, will identify the:

                            •     strategic business objectives of the DEA,

                            •     information needed to support the business,
                                                         - 33 -
      •   applications needed to provide the information, and

      •   technology needed to support the applications.

According to the CIO Council, a target architecture should:

      •   reflect the EA team’s judgment about the future uses and
          characteristics of information within the agency,

      •   reflect the organization’s business area review requirements
          for identifying opportunities to automate aspects of work,

      •   incorporate technology forecasts,

      •   specify the level of interoperability needed between data
          sources and the users of the data,

      •   identify the IT needed to support the agency’s objective as
          stated in the IT Strategic Plan, and

      •   reflect concerns with the budget and geographical locations.

       The DEA’s Chief Architect told us that the development of a
target architecture is the most time-consuming and costly portion of
the EA development. However, a target architecture is necessary to
evaluate whether current IT investments are capable of taking the DEA
into the technology future.

      Transition Plan

       According to the CIO Council, the process of evolving from an
existing architecture to a target architecture is complex and requires
multiple inter-related activities. The best way to understand and
control such a complex process is to develop and maintain a systems
migration roadmap, or transition plan.

      A transition plan provides a step-by-step process for moving
from a current architecture to a target architecture. Such a plan is the
primary tool used for program management and investment decisions
because the plan represents the current environment as well as any
development programs that are planned or underway. To remain
current and to support continued coordinated improvements across an
agency, a transition plan should be maintained and updated as time
and circumstances dictate.


                                  - 34 -
      In addition to specific development requirements for the new
components in a target architecture, a transition plan should consider
including a wide variety of inputs such as:

      •   sustaining operations during a transition,

      •   the existing technical assets and contractual agreements,

      •   anticipated management and organizational changes,

      •   business goals and operational priorities, and

      •   budgetary priorities and constraints.

      A transition plan defines and differentiates between legacy,
migration, and new systems. The legacy systems and their
applications are those in current operation and usually are phased out
during the deployment of a target architecture. Migration systems and
applications may be in current operation, but certainly will be in
operation when the transition begins and for some time into the
future. New systems and applications are those that are being
acquired, are under development, or are being deployed. The new
systems and applications are expected to be operational as part of the
target environment.

      A transition plan should form the basis for the DEA’s annual IT
capital investment plan, which is a key ITIM component. Until the DEA
develops a transition plan, there is a risk that it may invest in
technology that does not meet the DEA’s missions and goals.

      EA Stage 4 Summary

       To complete its EA, the DEA must develop the target
architecture and a transition plan to allow the EA to do as intended –
to drive IT investments.

Attaining Stage 5 Maturity

      According to the EA Management Framework, an organization at
Stage 5 maturity has: 1) completed the EA, and 2) secured senior
leadership approval of it. In addition, at Stage 5 decision-makers are
using the architecture to identify and address ongoing and proposed IT
investments that are conflicting, overlapping, not strategically linked,
or redundant. Thus, Stage 5 agencies are able to avoid unwarranted
overlap across investments and ensure maximum systems

                                  - 35 -
interoperability, which in turn ensures the selection and funding of IT
investments with manageable risks and returns. In essence, an
agency at Stage 5 maturity is using the EA as intended – to drive IT
investments and ensure systems interoperability.

      EA Stage 5 Summary

     The DEA cannot meet Stage-5 requirements of the EA
Management Framework until it completes the EA.

Conclusion

       The DEA continues to make progress toward completing an EA in
accordance with available guidance and frameworks and has begun to
effectively manage its EA with the aspects completed to date. As of
April 2004, the DEA had completed nearly 90 percent of the EA
Management Framework criteria for meeting the Stage 2 level of
maturity. The DEA has completed eight of the nine core elements for
Stage 2 required by the EA Management Framework and thereby has
achieved three of the four critical attributes.

      The DEA has demonstrated its commitment to complete the EA
by: 1) obtaining senior management buy-in through the EA governing
committees; 2) reorganizing its Office of Information Technology
Systems to include an office focused on the development,
implementation, and maintenance of the EA; and 3) appointing a Chief
Architect to ensure the integrity of the EA development process, and
by selecting a framework, methodology, and automated tool to aid in
completing the EA.

      The DEA has made limited progress toward attaining Stage 3
maturity of the EA Management Framework. The DEA has developed
one EA product, the high-level current architecture, which meets the
requirements of the EA Management Framework in terms of the
business, data, application, and technology areas.

      In September 2002, the DEA documented a high-level
description of its “as is,” or current, EA using DEA personnel who were
assisted by a contractor. The development of the current EA is
required to achieve Stage 3 of the EA Management Framework. The
high-level current EA provided the DEA with descriptions of its
business processes, applications used to carry them out, data used in
accomplishing them, technology used in implementing them, and
stakeholders affected by them.


                                 - 36 -
      However, the high-level “as is” EA lacked the detail necessary for
the DEA to progress to a “to be,” or target architecture. In April 2004,
the contractor added the necessary detail, and the DEA accepted the
product after reviewing it to ensure consistency with the Federal
Enterprise Architecture Framework.

      To attain Stage 3 maturity, the DEA must establish a written and
approved policy for EA development, implementation, and
maintenance, and ensure that EA products undergo configuration
management. In addition, the DEA must ensure that the target
architecture addresses security as outlined in the EA program plan.

      To attain Stage 4 and 5 levels of maturity as described by EA
Management Framework, the DEA must complete and begin
implementing the EA. To build on its accomplishments, the DEA needs
to press forward with completing its target architecture and transition
plan. Without those plans, the DEA cannot ensure that technology
proposals will meet future IT requirements.

Recommendations:

      We recommend that the DEA:

1.    apply metrics to measure EA progress, quality, compliance, and
      return on investment;

2.    establish an organization policy for EA development and
      maintenance that meets the requirements of the EA
      Management Framework;

3.    ensure that the completed EA undergoes configuration
      management;

4.    ensure that the target architecture addresses security as
      outlined in the EA Program Plan; and

5.    complete and implement the remaining EA stages to ensure that
      IT investments are not duplicative, are well-integrated, are cost
      effective, and support the DEA’s mission.




                                 - 37 -
Finding 2: Information Technology Investment Management

      The DEA has improved the effectiveness of its IT
      investment management (ITIM) by advancing its level of
      maturity from Stage 1 to Stage 2 in the five-stage ITIM
      Framework.22 The DEA has created an awareness of the
      importance of an IT investment process and has instituted
      the processes necessary to build an IT investment
      foundation. The DEA has also established investment
      boards to ensure that policies for selecting, controlling,
      and evaluating IT investments are developed and
      consistently followed throughout the organization. The
      DEA also has completed about one-third of Stage 3
      required by the ITIM Framework, including documenting
      policies and procedures for creating and modifying IT
      portfolio selection criteria and ensuring that the
      investment board has approved the IT portfolio selection
      criteria. In addition, the DEA has implemented the select
      phase of the ITIM process and has plans to implement the
      control and evaluate phases in 2004. By advancing to
      Stage 2 of the ITIM Framework, the DEA has begun to
      mitigate the risk of basing its IT decisions on judgment,
      intuition, and partial data rather than on objective,
      systematic, IT-related information that is routinely
      collected and analyzed within the ITIM process.
      Institutionalizing the entire ITIM process will further reduce
      such risks to the DEA.

Synopsis of the Five Stages of the ITIM Process

      To implement the five stages of the ITIM process, the DEA must
also complete five core elements for each critical process listed below.
The five core elements are: 1) purpose, 2) organizational
commitment, 3) prerequisites, 4) activities, and 5) evidence of
performance. With the exception of the “purpose” core element, each
of the other core elements also contain key practices, which are the
attributes and activities that contribute most to the effective
implementation and institutionalization of a critical process.23


      22
          In Stage 1 an organization has created an IT investment awareness by
characterizing its IT investment process through unstructured processes. In Stage 2
an organization builds the foundation for current and future investment success by
establishing basic IT selection and control processes.
      23
         See Appendix 9 for a table showing DEA’s progress through Stage 3 of the
ITIM Framework.
                                      - 38 -
       Stage 1. To complete this stage, the DEA needs to create
investment awareness, using the following critical process: using a
disciplined investment process for IT spending. The DEA has created
an IT investment awareness within the agency.

      Stage 2. The second stage – building the investment
foundation needs – consists of the following critical processes within
the ITIM Framework: instituting the investment board, meeting
business needs, selecting an investment, providing investment
oversight, and capturing investment information. The DEA has
completed the stage entirely.

      Stage 3. Developing a complete investment portfolio is the
objective of this stage. Critical processes include: defining the
portfolio criteria, creating the portfolio, evaluating the portfolio, and
conducting post- implementation reviews. The DEA has made
progress in completing this stage.

      Stage 4. This stage consists of improving the investment
process and uses the following critical processes: improve the
portfolio’s performance and manage the succession of information
systems. As the DEA’s selection and control processes mature, the
DEA will begin focusing on improving the established evaluation
processes for this stage.

      Stage 5. Leveraging IT for strategic outcomes is the final stage
in the ITIM maturity process. The critical processes for this stage are:
optimizing the investment process and using IT to drive strategic
business change. The DEA will attain Stage 5 maturity when its
selection, control, and evaluation processes operate together to
produce IT outcomes. The status of the DEA’s ITIM stages follows.

Stage 2 Completed

       The DEA has attained a basic ITIM capability (Stage-2 maturity)
to establish the foundation for effective and replicable IT project-level
investment selection and control processes. Selection processes
ensure that the DEA has an effective methodology for approving only
those IT projects that are consistent with its needs and goals.
Effective control processes ensure that deviations from cost and
schedule baselines can be identified quickly.




                                   - 39 -
Critical Process #1: Instituting the Investment Boards

        According to the ITIM Framework, the purpose of investment
boards is to ensure that basic policies for selecting, controlling, and
evaluating IT investments are developed, institutionalized, and
consistently followed throughout the organization. Depending on its
size, structure, and culture, an organization may have more than one
IT investment review board. The organization may choose to make
the same board responsible for executive guidance and support for the
EA. Such an overlap of responsibilities may enhance the ability of the
boards to ensure that investment decisions are consistent with the EA
and that the EA reflects the needs of the organization.

      In establishing three agencywide IT Investment Boards – the
Executive Review Board, the Business Council, and the Compliance
Council – the DEA implemented the following key practices as stated in
the ITIM Framework:

     •   established and appointed members to agencywide IT
         investment boards responsible for defining and implementing
         the DEA’s IT investment process,

     •   established an IT investment process for directing the
         investment boards’ operations,

     •   provided resources to support the operations of the IT boards,

     •   ensured that the boards’ members understand the
         organization’s ITIM policies and the procedures used in the
         decision-making process,

     •   ensured that the boards’ spans of authority and
         responsibilities were defined to minimize overlaps or gaps,

     •   ensured that the agencywide investment boards have
         oversight responsibilities for the development and
         maintenance of the organization’s documented IT investment
         process,

     •   ensured that the investment boards operate in accordance
         with assigned authority and responsibility, and

     •   established management controls to ensure that the
         investment boards’ decisions are carried out.


                                 - 40 -
      Investment Boards. The DEA has established three IT
investment boards: 1) the Executive Review Board, 2) the Business
Council, and 3) the Compliance Council. These three boards are also
responsible for executive guidance and support for the EA. The
boards’ EA responsibilities are discussed in detail in Finding 1 of this
report.

      The Executive Review Board’s primary responsibility is to provide
leadership to enable the implementation of a managed information
technology, capital planning, and investment control process. The
Executive Review Board also recommends the continuation,
modification, or termination of funding for IT projects. The DEA’s
Chief Information Officer and Chief Financial Officer jointly chair the
Executive Review Board. Additional members of the board include
three DEA Assistant Administrators, the Chief Counsel, the Chief
Inspector, the Chief of the Office of Congressional and Public Affairs,
and two Special Agents in Charge.24

      The Business Council’s primary responsibility is to ensure that
recommended projects and investments are consistent with the DEA
mission, strategic plan, capital planning goals, EA, and security policy.
Business Council members function as working-level experts for the
ITIM process by providing business expertise specific to the business
units that each member represents. The Deputy Assistant
Administrator of the Office of Information Systems chairs the Business
Council, and the members are GS-15 level staff members from every
organizational unit within the DEA.

      The Compliance Council is responsible for evaluating IT
investments to ensure compliance with legislative regulations and DEA
policy. The Chief of the Strategic Business Analysis Group, Office of
Information Systems, chairs the Compliance Council. The Compliance
Council’s members include individuals whose day-to-day
responsibilities involve a compliance area. The members of the
Compliance Council work to ensure compliance with such areas as the
Federal Enterprise Architecture, the Government Performance and
Results Act, and the Government Information Security Reform Act.

      IT Investment Process. The DEA’s IT Investment Process Guide
and Transition Plan (Investment Guide), dated December 2001,
documents the agency’s IT investment process. The Investment Plan
contains all the elements prescribed by the ITIM Framework including:


      24
        The Assistant Administrators are from the Office of Diversion, Human
Resources Division, and the Intelligence Division.
                                     - 41 -
     •   a description of the roles of the key people within the DEA
         investment process,

     •   an outline of the significant events and decision points within
         the process,

     •   an identification of the external and environmental factors
         that influence the process, and

     •   the manner in which the IT investment process will be
         coordinated with the annual budget cycle.

     Adequate Resources. According to the ITIM Framework,
executive management is typically responsible for creating investment
boards, defining their scope and resources, and specifying their
membership. Establishing an investment management working group
can benefit both the investment boards and IT project managers by
coordinating requests for information providing responses.

      The Chief of the DEA’s Strategic Business Analysis Section told us
that the DEA has secured the necessary resources, including staff and
funding, to support the operations of the three investment boards.
Top management support for the operation of the investment boards is
demonstrated by the assignment of senior DEA personnel to the
Executive Review Board and the Business Council. In addition, the
DEA has established an ITIM Management Group within the Strategic
Business Analysis Section of the Office of Information Systems. The
Management Group provides support, advice, and guidance on
carrying out the ITIM process. The Management Group facilitates
access to IT experts. The Management Group operates as an
investment management center staffed with DEA and contractor
personnel. The Management Group is responsible for providing the
DEA Administrator, CIO, CFO, and senior leadership with the necessary
analytical and project management information for making key
budget, financial, and program management decisions affecting the
future use of IT in the DEA. The Management Group is also
responsible for overseeing the movement of investment proposals
through the ITIM process, including providing assistance to project
managers.

      Competence. According to the ITIM Framework, to ensure the
success of an IT investment program, members of investment boards
should be familiar with the boards’ policies and procedures and be
capable of carrying out their responsibilities competently. Training
should be provided for members who have had little or no investment

                                 - 42 -
decision-making experience or relevant education. For example,
training could be provided in economic evaluation techniques, capital
budgeting methods, performance measurement strategies, and risk
management approaches.

      As described in a DEA self-assessment, the members of the
three investment boards are qualified to make strategic decisions
regarding IT investments.25 The DEA’s CIO, who is responsible for
establishing the IT investment process, chairs the Executive Review
Board. The CIO has extensive experience in IT management.
Additionally, the Business Council members are key line managers who
are knowledgeable about business requirements in their respective
areas of responsibility.

      Further, the Management Group assists project and program
managers in preparing clear, concise summaries of their investment
proposals for presentation to the Business Council. According to the
Chief of the Strategic Business Analysis Section, for major
investments, the Management Group provides guidance on scoring
various investment elements and instructs the Business Council on
how to complete a scoring worksheet.26

      The Chief of the Strategic Business Analysis Section told us that
the DEA recognizes the importance of periodic training for board
members and program managers. For example, in April 2003 before
the FY 2005 budget cycle, the DEA CIO issued a memorandum
encouraging the executive staff and anyone involved with IT
investments to attend one of two training seminars taught by an OMB
IT investment expert. The training focused on the IT capital planning
process and the development of IT business cases as presented in the
OMB Exhibit 300, which shows the proposed cost, schedule, and
performance goals for the investment.

      Additionally, the DEA partnered with the Department’s Office of
the Chief Information Officer (OCIO) to arrange another training
session on IT investments in May 2003. The training focused on
obtaining a five score in the OMB scoring of Exhibit 300 investments.27

      25
        The self-assessment is a document the agency uses to assess its IT
investment management activities in accordance with the Framework.
      26
         The DEA uses a scoring method to rank investment proposals based on how
each proposal supports the DEA mission. The investment proposal score ranges
from zero to 10.
      27
         The OMB scores IT investments on a scale of one to five, with one being
the lowest score and five being the highest.
                                      - 43 -
The DEA obtained the highest score of 5 for 2 of the 11 IT investment
proposals scored by the OMB. Further, 5 of the 11 IT investment
proposals obtained a score of 4. An OCIO budget analyst told us that
the two perfect scores were the only perfect scores for the Department
in the FY 2005 budget cycle.

       Avoiding Duplication or Gaps. According to the ITIM Framework,
the existence of multiple boards to govern the agency’s IT investment
process requires that criteria governing the boards’ authorities and
responsibilities be defined in such a way that there are neither
overlaps nor gaps in the assigned authorities and responsibilities. The
criteria governing the boards’ authorities and responsibilities can be
based on: cost, benefit, schedule, and risk thresholds; the number of
users affected; the function of the business unit; the lifecycle phase of
an IT investment; or other comparable and useful measures.

      To ensure that no overlaps or gaps exist within the scope of the
boards’ authorities and responsibilities, the DEA has created a
hierarchical approach to the operation of the investment boards.
Before the boards become involved in the ITIM process, the
Management Group works closely with the project and program
managers to ensure the completeness of the IT investment proposals
and to monitor the performance of the investments after funding. The
proposals are forwarded to the Business Council for review and scoring
based on the DEA mission and goals. Based on the results of the
Business Council’s review, recommendations are made to the
Executive Review Board on the IT projects for which funding has been
requested. The Executive Review Board evaluates the
recommendations to ensure that the DEA’s mission and goals are
being met through the proposed investment and then makes final
recommendations to the DEA Administrator. In reviewing the boards’
minutes we noted that the boards discussed and scored proposals and
made recommendations.

       Oversight Responsibilities. According to the ITIM Framework,
the agencywide IT investment boards should be responsible for
developing an agency-specific IT investment guide to ensure that
technological resources are linked to the agency’s mission and IT
strategic plan. The boards’ work processes and decision-making
processes are described and documented in the guidance.
Additionally, after the guidance has been developed, the investment
boards must actively maintain the guidance, making sure that it
reflects the current structure and processes used to manage the
selection, control, and evaluation of the organization’s IT investments.


                                 - 44 -
      The DEA documented its IT investment processes in its
December 2001 Investment Guide. Since the investment boards were
not in existence at the time, the DEA formed a temporary working
group consisting of representatives at the management and executive
levels to develop the Investment Guide. The Executive Review Board’s
charter states that the Executive Review Board must approve all
changes to the Investment Guide. Due to the importance of the
Investment Guide to the ITIM process, the mandatory approval of any
changes to the Investment Guide demonstrates one of the Executive
Review Board’s key oversight responsibilities.

       Controls. According to the ITIM Framework, establishing
effective controls helps ensure that management will carry out IT
investment boards’ decisions. Without management controls,
decisions made by investment boards might not be implemented
because of conflicting priorities of the boards’ members. To ensure
the effectiveness of management controls, the relationship between
upper management and the investment boards must be documented
and agreed to by both parties. The investment boards must have the
confidence of upper management when deciding on new proposals and
funding for ongoing projects.

      The DEA Investment Guide identifies the key DEA players in the
ITIM process as follows: the Administrator, CIO, CFO, other senior
executives who sit on both the Business Council and the Executive
Review Board, and the Management Group. By including such
high-ranking officials as the key players to manage the ITIM process,
the DEA has, in essence, established controls and oversight to ensure
that the boards’ decisions are carried out. Because the investment
boards have been in operation for only one cycle of the select phase,
we were unable to evaluate the boards’ effectiveness.

Critical Process #2: Identifying Business Needs for IT Projects

      According to the ITIM Framework, an agency needs to develop a
process to identify the business needs supported by the proposed IT
investment. IT projects and systems should be closely aligned with
the business needs of the agency to support the highly visible core
business processes. To the extent that an agency has planning
documents – such as a strategic plan or target architecture – these
documents should be used as a source of agreed-upon business needs.

      The identification of business needs is important to ensure that
IT projects and systems support the agency’s strategic plan objectives
and business goals and objectives. In addition, the agency’s

                                - 45 -
investment management process is strengthened and institutionalized
by linking the agency’s business objectives to its IT strategy and
establishing a partnership between the sponsoring unit and the
provider of the technology.

      To ensure that business needs are identified for IT projects, the
DEA implemented the following key practices in accordance with the
ITIM Framework:

      •   documented policies and procedures for identifying IT
          projects or systems that support the DEA’s ongoing and
          future business needs,

      •   documented the business mission with stated agency goals
          and objectives,

      •   provided resources for the identification of IT projects and
          systems,

      •   defined and documented business needs for both proposed
          and ongoing IT projects and systems,

      •   identified specific users and other beneficiaries of IT projects
          and systems,

      •   ensured user participation in project management throughout
          an IT project or system’s life cycle, and

      •   ensured that the investment boards periodically evaluated the
          consistency of IT projects with the DEA’s strategic goals and
          objectives.

       Policies and Procedures. The ITIM Framework states that an
agency should have policies and procedures that outline a systematic
process for identifying, classifying, and organizing its business needs
and the IT projects that support these needs. In many cases, the
policies and procedures can be covered in the internal guidance used
for documenting the business case for a proposed IT investment.

       In its Investment Guide, the DEA has documented its process for
identifying business needs for proposed IT investments. According to
the Guide, program managers submit proposals to the Business
Council and the Executive Review Board for consideration. Each IT
proposal must identify which business need is served by the proposed
IT project. The proposal must also state tangible and measurable

                                   - 46 -
mission benefits. The DEA has standardized the presentation of an IT
proposal to the Business Council by creating a template that must be
used by program managers, and also has incorporated the
identification of the business needs that are to be supported by the IT
proposal as one of the categories within the template.

       Further, after the Business Council and the Executive Review
Board review the proposal and make a determination to pursue the
proposal, the project manager prepares the OMB Exhibit 300. In
preparing the Exhibit 300, the project manager must also identify the
business needs being met by the proposal. In standardizing the
proposal presentation and in completing the Exhibit 300, the DEA has
helped ensure that the business needs for each IT proposal will be
identified.

       Business Mission. According to the ITIM Framework, the
business mission, containing the agency’s stated goals and objectives,
is typically identified in the agency’s Strategic Plan.

       The DEA incorporated its general business mission
into the IT strategic plan, and according to that plan the DEA’s IT
mission is to strengthen the IT environment to meet future challenges
for drug enforcement, terrorism, and electronic government. To
accomplish its IT mission, the DEA will modernize obsolete
infrastructure platforms, expand secure information sharing
capabilities, re-engineer business processes, and implement
management practices that better support IT management.

       Identifying Business Needs. To demonstrate managerial
attention to the process of ensuring that business needs are identified
for each project, the DEA has tasked the Office of Information Systems
with the responsibility to ensure that IT projects and systems identify
the organization’s business needs. Each unit within the office has a
manager and is staffed to support its respective function. In addition,
the DEA hires contractors to help staff some of its units within the
office. Further, the office periodically updates an inventory of systems
to identify current IT projects, which states the system acronym,
name, and description. The office also maps each system to a specific
function. The office and the Property Custodian Assistants maintain
the DEA’s technical hardware inventory, which lists the component,
hardware description, and software applications and licenses.

     According to the DEA, the program managers are considered
sponsors of IT investments because they are responsible for the
submission of IT concept proposals to the Business Council. As

                                 - 47 -
sponsors, each program manager ensures IT investment compatibility
with the general DEA IT mission.

       The Management Group provides staff support to project
managers during the concept proposal phase of an IT project.
Specifically, this assistance seeks to link the business objectives of
each IT proposal with the business needs of the organization. To
support the process as outlined in the Investment Guide, the
Management Group provides concept proposal and business plan
training for program managers. The DEA also hosts Project
Management Institute seminars to train program managers on how to
identify business needs. Additionally, the DEA provides training in the
Rational Unified Process tool, which provides project guidance to
program managers. The Rational Unified Process is a flexible software
development process program that enables an agency to provide
consistent process guidance to a project management team. The DEA
is using the Rational Unified Process in most organizational units
to implement replicable and organized processes.

      Documenting Business Needs. According to the ITIM
Framework, each agency must ensure that its IT projects are directly
or indirectly linked to at least one of the organization’s business needs
or mission goals. A direct link is of greater value than an indirect link.
Identifying the business purpose, defining an executive sponsor of
each project, or obtaining confirmation from users that the project
meets their business needs can establish a direct link.

      The business needs for both proposed and ongoing IT
investments within the DEA are defined and documented in the
OMB Exhibit 300 for each investment. The business plans submitted
by the program managers contain goals for each project that map
back to the goals listed in the DEA strategic plan.

      The DEA Investment Guide states that the Business Council is to
evaluate whether the proposal meets the agency’s business needs.
We reviewed minutes from the Business Council’s meetings and
determined that the Business Council ranks proposals according to
how the proposal supports the business mission of the DEA. Even
though the business purpose for each project is determined as part of
the proposal phase of the project, ongoing investments undergo
further evaluation during the annual budget process. The evaluation
consists of: 1) the program manager submitting monthly reports to
the Management Group for review and forwarding the reports to the
appropriate boards for further review, and 2) the Business Council and


                                  - 48 -
the Executive Review Board reviewing the monthly reports to
determine if the investment still supports mission-related functions.

       Specific User Identification. The ITIM Framework states that IT
projects may address the needs of multiple sets of end-users, who will
benefit from the system. The agency should formally identify the
primary end-users early on in the project. This process allows the IT
staff to develop IT projects or systems focusing on specific,
well-defined goals of delivering value to its end-users, who depend
directly on the IT staff to produce systems that will help them
accomplish their particular goals.

       The DEA maintains a listing of all potential end-users for all IT
projects and systems. This listing is also a part of the DEA EA.
Additionally, during the “select” component of the capital planning and
investment control process (discussed in the Background section of
this report), end-users for each IT investment are identified in the
Business Plan and the OMB Exhibit 300 for major IT investments.

      End-users’ Participation. The ITIM Framework points out that
end-user involvement will vary during the different stages of a
project’s system life-cycle. During the project’s conception, end-users
should be heavily involved in developing the business case and in
defining how the system will help to meet needs or opportunities. The
end-user should be heavily involved during user acceptance testing.
However, during other phases of development, the end-user should
play a more limited role.

        During the final phases of the system’s life-cycle, especially the
operational phase, the end-user should play a major role in helping to
identify and document any benefits that are realized from the system’s
implementation. End-users are encouraged to participate in the
operational analysis of the system, which should involve collecting
information about the system’s performance and comparing it with the
initial performance baseline.

      During the control phase, each project follows the DEA
System-Development Life Cycle. The DEA uses the System-
Development Life Cycle to ensure a uniform development process.
During this phase, project managers prepare a Project Management
Plan (PMP) for each IT investment. The PMP serves as an agreement
between the end-user and the development team during the
construction of the IT system. Specifically, PMPs outline:



                                  - 49 -
      •    the problem to be solved,

      •    the proposed solution to the problem,

      •    the integrated project team,

      •    the project timeline, and

      •    the expectations of both the development team and the
           end-users of the project.

       The PMP also includes a work breakdown structure that
establishes baseline deliverables and performance milestones.
Additionally, the PMP milestones require program managers to provide
documentation on project activities to the end-users as the project
progresses through the System-Development Life Cycle. And the
project’s complexity dictates the amount of System-Development Life
Cycle documentation required. The DEA utilizes the Rational Unified
Process to track the project through the System-Development Life
Cycle. The Rational Unified Process consists of four progress stages:
1) inception, 2) elaboration, 3) construction, and 4) transition. The
DEA self-assessment states that the DEA uses a Field Advisory Council
to determine if the product met end-user requirements within the field
offices.28 The Field Advisory Council gathers and provides information
to the Office of Information Systems on the development and
deployment of technical infrastructure.

      Investment Boards’ Evaluation. During the investment boards’
evaluation, the boards assess the anticipated outcomes of a project or
system, and its value in relation to defined expectations. The boards
also determine whether and how well the IT project or system is
meeting the agency’s expectations. After deployment, the DEA
measures the system’s ability to continually meet a business or user
need.

       Using historical data, system expectations, and other factors as
criteria, the investment boards evaluate each IT project to determine
its value to the agency. The review cycle includes an evaluation of
project risks. Periodic evaluation of each IT project permits the
investment boards to determine the ongoing value of each IT
investment. These periodic evaluations are critical to determining
whether or not to continue funding the IT project.


      28
        The Field Advisory Council consists of designated agent representatives
from domestic and international field offices.
                                      - 50 -
       If an investment is found to be inconsistent with the
organization’s strategic goals and objectives, immediate action must
be taken at the project level, with oversight provided by the
investment boards, to realign the project or system. But even a
successful system will eventually begin to provide diminishing returns
as it becomes more expensive to maintain. In addition, changing
business requirements also can make a system obsolete.

      The evaluation phase of the DEA IT Process was not yet
operational as of February 2004. Presently, the DEA is operating in
the select phase of the IT process. According to the DEA Investment
Guide, the evaluation phase of the ITIM process will be concerned with
ensuring that each IT investment delivers expected results and mission
benefits. When the evaluation phase is implemented, program
managers will submit monthly reports to the ITIM Management Group,
which will collect and maintain this information in an ongoing IT
portfolio. The Business Council and the Executive Review Board will
evaluate the investments contained within IT portfolio.

       The Management Group Chief told us that the Business Council
has initiated a review of current IT investments. The Chief added that
individual project managers, in conjunction with their supervisors,
perform an evaluative role regarding IT investments. Individual
project managers have presented status reports about IT investments
to the Business Council. Minutes of Business Council meetings showed
that the Business Council ranked each investment and made
recommendations to the Executive Review Board on project funding.

Critical Process #3: Selecting an Investment

      According to the ITIM Framework, review or “reselection” of
ongoing projects is a very important part of this critical process. If an
IT project is not meeting the goals and objectives that were
established in the original selection, the investment boards must make
a decision on whether to continue to fund the project.

      To satisfy this critical process, the DEA implemented the
following key practices:

      •   documented policies and procedures for selecting new IT
          proposals, reselecting ongoing IT investments, and
          integrating funding with the process of selecting investments;

      •   ensured that resources exist for identifying and selecting IT
          projects and systems;

                                  - 51 -
      •   established criteria for analyzing, prioritizing, and selecting
          new IT investment opportunities and reselecting IT
          investments;

      •   ensured that the above criteria reflect organizational
          objectives;

      •   ensured the use of the defined selection process, including
          criteria to select new IT investments and reselecting ongoing
          IT investments; and

      •   ensured that executives’ funding decisions are aligned with
          selection decisions.

      Policies and Procedures. According to the ITIM Framework, a
structured method provides the organization’s investment boards,
business units, and IT developers with a common understanding of the
process and cost, benefit, schedule, and risk criteria that will be used
to select IT projects. Also, a documented selection process can help to
ensure consistency when an organization is considering multiple
investments for funding. Transparency in the process can help to
create an environment that is objective, fair, and rational. Thus,
potential investments will be judged solely on the merits of their
contribution to the strategic goals of the organization without undue
influence from outside the process.

       The DEA has documented its IT investment selection criteria in
the Investment Guide. A program manager prepares a concept
proposal for review by the ITIM Management Group, which validates
the concept proposal’s format and provides a preliminary evaluation of
the technical and business feasibility of the proposal. The concept
proposal is then forwarded to the Business Council, which provides an
independent review — in accordance with approved criteria — to
ensure compliance with the DEA EA and to prevent duplication with
ongoing development efforts. The criteria include evaluating risks,
costs, and mission benefits based on the DEA’s IT Strategic Plan and
organizational priorities, consistency with the DEA EA, and compliance
with security policy. The Business Council forwards its
recommendations to the Executive Review Board, which evaluates and
prioritizes the proposals to be forwarded to the DEA Administrator for
approval and inclusion in the annual budgeting process.

     During the budgeting process, the program managers prepare
and submit OMB Exhibits 300, which include a feasibility study, project

                                   - 52 -
plan, and preliminary budget estimate. Each Exhibit 300 is reviewed
and evaluated by the ITIM Management Group, Business Council, and
Executive Review Board. The projects are compared and rated on a
color scale of red, yellow, or green. Red-rated investments are not
accepted. Yellow-rated investments have received a “concerned
approval” that may require additional information and close
monitoring. Green-rated investments signify approval.

      The DEA ITIM Management Group forwards an approved
portfolio of proposed investments to the Department’s ITIM
Management Group. The Department’s ITIM Management Group then
consolidates the portfolio with those from other Departmental
components and submits them to the Department’s Senior
Management Council for decision, prior to forwarding the portfolio to
OMB for review.

      Further, the DEA uses the process described above to reselect
ongoing IT investments. As noted above, the DEA has integrated the
funding of investments into the selection process by allowing the
selection process to occur simultaneously with the DEA annual budget
process.

      Adequate Resources. The ITIM Framework states that the
resources for selecting IT projects typically involve:

     •   managerial time and attention to the process, including
         project sponsorship;

     •   staff support, including a designated official to manage the
         process; and

     •   support tools, methods, and equipment for organizing and
         analyzing IT proposals.

      As the concept proposal author, a program manager becomes
the sponsor of the proposed investment. As the sponsor, the program
manager is responsible for ensuring IT investment compatibility with
the DEA IT Strategic Plan.

      Regarding staff support of investments, the DEA has in place an
ITIM Management Group, which is responsible for designing,
implementing, and operating the DEA ITIM process, including the IT
investment selection process. The ITIM Management Group manages
the process by: 1) validating IT proposal completeness, 2) monitoring


                                 - 53 -
individual investment performance, and 3) supporting the Business
Council and the Executive Review Board in evaluating the investments.

      The DEA has described in its Investment Guide the tools,
methods, and equipment to be used for selecting IT projects. The DEA
uses standardized templates for the submission of IT proposals to the
Business Council for review. The Business Council and the Executive
Review Board use approved criteria to evaluate the IT proposals. The
proposals are organized according to the ranking received from the
Business Council and the Executive Review Board.

       Pre-determined Criteria. According to the ITIM Framework, any
decision-support process should be based on pre-determined criteria.
In order to maintain consistency, the criteria should include
quantitative or qualitative measures for comparing projects, based on
such things as investment size, length of the project, technical
difficulty, project risk, business impact, customer needs, cost-benefit
analysis, organizational impact, and expected improvement. The
results of the comparison help the investment boards analyze the
potential risk and return on investment for a particular project and
prioritize the portfolio using a scoring method that considers the
strengths and weaknesses of each project.

      The DEA ITIM Management Group has developed a scoring
worksheet for use by the Business Council in evaluating each IT
investment proposal based on relative factors. These factors include:
1) project management, including performance goals, risk
management, security, and project planning and spending; 2) mission
support and impact; and 3) appropriateness of funding. Program
managers make presentations to the Business Council about the
respective IT investments. During the presentation, the Business
Council members complete scoring worksheets. The scoring
worksheets are then combined, and the investments are prioritized
based on the combined score that each investment received. The
Business Council’s scoring results are reported to the Executive Review
Board, which makes the final investment decision. The DEA also uses
the above criteria to reselect ongoing IT investments for continued
funding.

       Organizational Objectives. The ITIM Framework states that
during project selection, decision-makers use various criteria to help
assess a system’s projected outcomes, resource allocations
(e.g., people, funding, and tools), and benefits and costs. As
organizational goals and objectives change and the criteria for
selecting projects change with them, decision-makers need to have a

                                 - 54 -
management structure and tools in place to help reassess their
decision criteria and the impact of those criteria on decisions, results,
and outcomes.

       The DEA’s ITIM Management Group is responsible for developing
and maintaining the agency’s IT Strategic Plan, which is updated
annually. In addition, the ITIM Management Group develops the
scoring worksheet used by the Business Council to prioritize the IT
investments. According to the DEA self-assessment, the ITIM
Management Group updates the scoring worksheet each year to reflect
any changes in the IT Strategic Plan. This is necessary because one
criterion for prioritizing an IT investment is whether or not the
investment supports the DEA’s mission and goals.

      Selection Process. An organization must not only have a project
selection process documented but must also use the process. The
ITIM Framework states that the selection process should occur within
the context of the organization’s cyclical budgeting process. A
designated official should manage the data submission and the
screening activities associated with the selection process.

      The DEA has completed one selection cycle of the ITIM process
and as of March 2004 was in the process of completing the second
cycle for the FY 2006 budget year. We reviewed the minutes of the
Business Council to determine if the DEA was actually using its
prescribed selection process. According to the minutes, the program
managers made presentations to the Business Council, which were
ranked and prioritized based on how the projects met mission goals
and objectives. The Business Council’s decision was forwarded to the
Executive Review Board for further evaluation and a funding
recommendation.

       Funding Decisions vs. Selection Decisions. According to the ITIM
Framework, an organization’s executives have discretion in making the
final funding decisions on IT proposals. However, their decisions
should be based on the analysis that has taken place during the
selection process. Additionally, there should be evidence that some
proposals are judged less meritorious than others and thus do not get
funded as part of the decision-making process.

      As stated earlier, the Business Council prioritizes the IT
investment proposals based on its review and evaluation of each
proposal. The Business Council recommendations are then sent to the
Executive Review Board for further evaluation and recommendation to
the DEA Administrator for funding. In a memorandum dated

                                  - 55 -
May 23, 2002, the DEA Administrator stated that all funding for DEA IT
investments would be based on the Executive Review Board’s
decisions.

      Conclusion. The DEA has completed the steps necessary to
establish an IT investment selection process. The DEA has:
1) defined a method for selecting new IT projects and to reselect
ongoing IT investments for funding, 2) documented a project selection
process and is using it, and 3) laid the foundation to implement the
mature critical processes for making IT proposals and selecting
projects as described in Stage 3 of the ITIM Framework.

Critical Process #4: Providing Investment Oversight

      The purpose of this critical process is to ensure that an
organization provides effective oversight for its IT projects throughout
all phases of a project’s life cycle. While the investment boards should
not micromanage each project, they should maintain adequate
oversight and observe each project’s performance and progress toward
defined cost and schedule expectations. The investment boards
should expect that each project development team will be responsible
for meeting project milestones within the expected cost parameters
that have been established by the project’s business case and
cost-benefit analysis.

      To satisfy this critical process, the DEA must implement these
key practices:

      •   document policies and procedures for oversight of IT projects
          and systems,

      •   provide resources for managing IT projects,

      •   ensure that project management plans are kept for IT
          projects and systems,

      •   provide actual performance data to the appropriate IT
          investment boards, and

      •   conduct performance reviews of IT projects and systems.

The DEA has implemented all five key practices.

     Policies and Procedures. According to the ITIM Framework, an
organization should establish policies and procedures for management

                                 - 56 -
oversight of IT projects. The policies and procedures should specify:
1) the criteria to be used by the investment boards when evaluating
project performance, and 2) that corrective action be taken when the
project deviates or varies significantly from the project management
plan.

      The DEA has documented procedures specifically covering
software project tracking and oversight. These procedures were
developed as part of the Capability Maturity Model (CMM) process
improvement initiative.29 The procedures cover internal reviews by
project managers, formal project management reviews,
communication of commitments and changes to commitments, and
senior management review of commitments and changes to
commitments. The procedures are executed at the project level and
operate within the ITIM process. They describe the roles of the project
manager, development team, line management, and senior
management within each process.

      Project managers review the status of software projects with
supervisors and customers to identify and resolve issues associated
with the project. Project risks are identified for major IT investments
and documented in OMB Exhibit 300. The Business Council and the
Executive Review Board manage by exception and review only those
projects that exhibit a 10-percent or greater cost or schedule variance
as explained in OMB Circular A-11. The DEA coordinates application
development projects and infrastructure projects to ensure that the
infrastructure can support the development of new applications.

      The DEA Investment Guide states that along with certain
checkpoints in the System-Development Life Cycle, investments in the
control phase are subject to periodic progress reviews to assess cost
management, schedule variances, and realization of planned benefits.
The scope and frequency of these reviews should be determined by
the projects’ cost, risk, and complexity. The information used for
these reviews, such as expenditures and work completed, is collected
monthly from the project manager.

       Adequate Resources. The ITIM Framework states that an
organization should provide the resources needed to oversee its IT
projects and systems. These resources should include managers and
staff who are assigned specific responsibilities for monitoring, and

       29
           The Capability Maturity Model is an improvement framework used by an
organization to judge the maturity of its software development processes. It also
identifies the key practices required to help organizations increase the maturity of
these processes.
                                        - 57 -
tools – such as project summary reports on schedule and cost – to
support the investment boards’ oversight operations.

      The Management Group facilitates the ITIM process. The
Management Group is staffed with a combination of government and
contractor personnel providing the expertise necessary to ensure that
investment boards are provided with sufficient information for
executive level oversight. The Management Group prepares
presentation templates for project managers, assists project managers
in preparing materials for the ITIM boards, develops evaluation forms
for the boards’ members, prepares boards’ minutes, and follows up on
boards’ action items.

       In addition, the Management Group coordinates with the Quality
Management Unit on evaluation tools for earned-value and project
reporting metrics.30 The information generated from these evaluation
tools is included in a status report for the ITIM boards’ oversight
activities. The DEA is also using Microsoft Project to present the
standard work breakdown for each project. As the project plans are
updated with actual completion dates and costs, this information is
included in the earned-value management tool. The Quality
Management Unit also captures other project-performance metrics,
and reports the data to the ITIM Management Group for use with the
investment boards’ oversight processes.

       Project Management Plans. The ITIM Framework states that
each IT project management team should create and maintain a PMP
for the project or system for which it is responsible. The PMP
documents a variety of project decisions, assumptions, and
expectations including project performance. Expectations could
include a cost-and-schedule baseline-control system – such as the
earned-value management system – milestone-based accomplishment
expectations, or another control system depending on the project’s
size, importance, cost, and risk.

      The DEA has required each project to have a PMP that
documents the purpose, scope, and background of the project; the
project organization; and the management and technical approach.
The PMP also contains the project schedule and funding information. A
number of supplemental exhibits are included with the PMP, such as
project-sizing and documentation requirements, project
questionnaires, staff roles and responsibilities, the work-breakdown
schedule, primary points of contacts, and a system-risk matrix.

      30
         Earned-value is a management technique that measures the amount of
planned work completed in relation to the funds expended.
                                    - 58 -
      Major IT investment plans are also summarized and reported in
the Exhibit 300. The Exhibit 300 captures cost, schedule, and
performance data along with earned-value, project assumptions, and
risks. Further, the DEA Investment Guide states that after a project’s
concept proposal is approved, a business case must be developed for
further consideration. A business case consists of a project plan,
feasibility study, cost-benefit analysis, and concept of operations.
These documents are all part of the PMP.

       Actual Performance Data. For an organization to establish
control of projects in Stage 2 of the ITIM Management Framework, it is
essential that all performance data, including cost, schedule, benefits,
risks, and system functionality for each IT project, are collected and
disseminated to the appropriate IT investment boards. In addition, to
monitor the long-term value of a project or system, the organization
needs to collect and distribute this information to the appropriate IT
investment boards during agreed-upon stages of the project’s life
cycle.

       Currently, the DEA uses its project managers to collect and
distribute cost and schedule data for individual projects. This
information is provided to the investment boards through
presentations at board meetings. Additionally, the project
performance data is also captured in the Exhibit 300. The DEA is in
the process of assessing earned-value management tools, one of
which is to be selected and implemented during FY 2004. When
implemented, the earned-value tool will provide additional project
metrics that will be reported to the ITIM boards by the ITIM
Management Group.

      Performance Reviews. The ITIM Framework states that
investment boards should oversee the performance of IT projects by
conducting reviews at predetermined checkpoints or major milestones
in order to compare actual project costs and schedules with the
proposal.

      During the control phase of the ITIM process, investments are to
be subject to periodic progress reviews to assess cost management,
schedule variance, and realization of planned benefits. Based on the
information collected during these reviews, the ITIM Management
Group is to determine which projects are at risk, and then follows up
on those projects to identify the problem and the solution.

     DEA investment boards activities are evolving and will include
more activities during the control phase in 2004. We reviewed the

                                 - 59 -
minutes of Business Council meetings in December 2003 and found
that during the presentations for each project, program managers
informed the Business Council of the status of their respective
projects. As stated earlier, the investment boards conduct oversight
responsibilities by exception, focusing on investments that show a
10-percent or greater variance in cost or schedule. The ITIM
Management Group, in conjunction with the Quality Management Unit,
collects and validates the information provided by project managers
and presents the data to the investment boards for review.

Critical Process #5: Capturing Investment Information

      During this critical process the organization identifies its IT
assets and creates a comprehensive repository of investment
information. This repository is used to track the organization’s IT
resources. For an organization to make good IT investment decisions,
it must be able to acquire pertinent information about each investment
and store that information in a retrievable format, to be used in
making future investment decisions.

      To complete this critical process, the DEA implemented three key
practices:

     •   identified and collected specific information on IT projects and
         systems to support decisions about them,

     •   ensured that information collected is accessible and
         understandable to decision-makers, and

     •   provided a repository to be used by investment decision
         makers to support investment management.

      Information Collection. The ITIM Framework suggests that a
standard, documented procedure be used to ensure that developing
and maintaining information on projects and systems is replicable and
produces IT data that is timely, sufficient, complete, and comparable.
The information may be prepared by the information systems support
component of the organization and verified and validated by a
designated official or another organizational unit.

      The DEA Office of Information Systems inventories and accounts
for the assets comprising the physical infrastructure, which includes
workstations, servers, printers, storage devices, and
telecommunication devices. The information collected includes the
type of equipment and a unique identifier for the equipment, usually a

                                 - 60 -
barcode, acquisition date, deployment date, and location. The DEA
similarly maintains a software inventory. These two inventories
became the foundation of two of the four EA components. The
physical infrastructure is documented in the Application Architecture,
and the software inventory is documented in the Technical
Architecture. In addition, the DEA’s OMB Exhibit 53, IT Investment
Portfolio, shows the prior-year, current-year, and budget-year costs
for developing and maintaining IT projects. 31

      According to the DEA self-assessment, the physical inventory
and the financial data collected on IT projects are used not only for the
management of the assets but also in the project planning process.
For example, the information collected about the physical
infrastructure deployed to each DEA field division is necessary to
determine when and where the deployment of a new application will
take place, especially if the new application requires an updated
physical infrastructure. Business Council minutes documented that the
Council uses information collected about the IT projects and systems
to make decisions on whether to select, continue, or terminate a
project.

       Information Accessibility. According to the ITIM Framework, a
repository of information about the IT investments is of value only to
the extent that decision-makers and stakeholders use the information.
Knowledge of the information contained in the repository by staff and
managers throughout the organization can help to avoid duplication of
effort and facilitate the reconciling of overlapping resources. For
example, a report generated from the information contained in the
repository can be used to better manage the licensing of an
organization’s application software by showing individually licensed
applications that may be candidates for group licensing.

      The DEA makes the IT system and project inventories available
to the investment boards as necessary to allow the boards to view
proposed investments in the context of similar initiatives. The
inventory of systems is also submitted to the Department’s CIO as
part of the IT budget formulation process. The inventory then
becomes the basis for reporting the DEA IT portfolio on
OMB Exhibit 53.

      As stated earlier, the inventory and financial data for the IT
projects are provided to the Business Council for its review and for

       31
         OMB Exhibit 53 is a listing of an agency’s entire IT investment portfolio. An
agency is required to submit an Exhibit 53 to OMB if the agency’s financial
management budget is $500,000 or more in any given year.
                                       - 61 -
making funding recommendations to the Executive Review Board. The
Business Council then provides the funding recommendations, along
with supporting documentation, to the Executive Review Board, which
reviews and makes decisions about the DEA’s IT portfolio.

      Maintaining the Information Repository. According to the ITIM
Framework, informed investment decisions require up-to-date
information. Maintaining the integrity of the information repository is
important to ensure that the repository remains a useful
decision-making tool. As projects and systems change through
additions, updates, or deletions, the status of the projects and systems
should be documented in the repository. An individual or
organizational unit should be designated to maintain the repository.

       According to the DEA’s self-assessment, the IT inventory
maintained as part of the DEA EA is crucial to future investment
decisions. The knowledge of current assets – including capabilities,
limitations, and expected lifespan – is an important part of any
decision that affects the DEA investment portfolio. The ITIM
Management Group is responsible for periodically updating the
inventory based on DEA decisions about the agency’s infrastructure
and software configuration.

      Our review of the DEA PMP determined that the DEA includes a
change-control page to track all changes made to the project. We also
found that the DEA Investment Guide requires that during the control
phase, investments are subject to periodic progress reviews to assess
cost management, schedule variance, and the realization of planned
benefits.

      ITIM Stage 2 Summary

      The DEA has completed the ITIM Framework’s critical processes
necessary to build an IT investment foundation. The critical processes
include: 1) establishment of investment boards, 2) identification of
business needs for IT projects, 3) IT investment selection, 4) IT
project oversight, and 5) IT system and project identification and
tracking.

Stage 3 Not Yet Completed

      Stage 3 of the ITIM Framework focuses on the investment
boards’ enhancement of the ITIM process by developing a complete
investment portfolio. According to the ITIM Framework, having a
portfolio perspective enables an organization to consider its

                                 - 62 -
investments in a comprehensive manner. The portfolio perspective to
IT investing is important in that it allows the investment boards to
select investments that address not only the strategic goals,
objectives, and mission of the organization, but also the effect that
projects have on each other. To develop an IT investment portfolio,
an organization combines all its IT assets, resources, and investments
— considering new proposals along with previously funded investments
— and identifying the appropriate mix of IT investments that best
meets its mission, organizational, and technology needs, and priorities
for improvements.

       Stage 3 maturity requires the accomplishment of four critical
processes; the DEA has not yet completed them. To attain Stage 3
maturity, the DEA needs to implement 27 key practices within the 4
critical processes. We found that as of February 2004, the DEA had
completed 9 of the 27 key practices. However, the DEA has not
completed all the key practices within any of the critical processes.

Critical Process #1: Defining the Portfolio Criteria

      According to the ITIM Framework, portfolio selection criteria are
a necessary part of an IT investment management process.
Developing an IT investment portfolio involves defining appropriate IT
investment cost, benefit, schedule, and risk criteria to ensure that the
organization’s strategic goals, objectives, and mission will be satisfied
by the selected investments. Portfolio selection criteria reflect the
strategic and enterprise-wide focus of the organization and build on
the criteria that are used to select individual IT projects. The ITIM
Framework states that IT projects are sometimes selected on the basis
of an isolated business need, the type and availability of funds, or the
receptivity of management to a project proposal. The portfolio
selection criteria should be applied as uniformly as possible throughout
the organization to ensure that decision-making is consistent and the
processes become institutionalized. When an organization’s mission or
business needs and strategies change, the criteria should be
re-examined.

      To ensure that the IT investment portfolio criteria are defined,
the DEA implemented the following key practices in accordance with
the ITIM Framework:

     •   documents policies and procedures for creating and modifying
         IT portfolio selection criteria;



                                  - 63 -
     •   assigns responsibility managing the development and
         modification of the IT portfolio selection criteria;

     •   ensures that the investment board approved the IT portfolio
         selection criteria based on the organization’s mission, goals,
         strategies, and priorities;

     •   ensures that project managers and other stakeholders are
         aware of the portfolio selection criteria; and

     •   ensures that the investment board reviewed the IT portfolio
         selection criteria and modified the criteria as appropriate.

      Policies and Procedures. The DEA uses DOJ Order 2880.1A and
OMB Circular A-11 as the criteria for its IT portfolio selection. The
Order and the Circular emphasize project performance and value
added to the agency. DOJ Order 2880.1A provides criteria for
selecting major IT investments and defines a major investment as any
one that the Department’s CIO determines requires special
management attention because of its importance to an agency
mission, political sensitivity, and high development and maintenance
costs, regardless of whether such work is performed by government
employees or contracted out. According to the Department’s CIO, for
an investment to be considered a major IT investment it must meet
one of the following criteria:

     •   annual cost greater than $10 million, or total life-cycle cost
         greater than $50 million;

     •   any financial information system with an annual cost greater
         than $500,000;

     •   any investment that is mandated for department-wide use;

     •   any investment that affects multiple Department of Justice
         organizational components;

     •   any investment required by law or designated by Congress as
         a budget “line item”; or

     •   any high-risk or politically sensitive investment, as
         determined by the Department’s CIO.

      OMB Circular A-11, Section 300, defines a major investment as
one of the following: a system or investment that requires special

                                  - 64 -
management attention because of its importance to an agency’s
mission, an investment that is directly linked to the top two layers of
the Federal Enterprise Architecture (Services to Citizens and Mode of
Delivery), or an investment that is an integral part of an agency’s EA.
All major investments are reported on Exhibit 53, which becomes one
source, along with the EA and physical infrastructure, for the agency’s
investment portfolio. The use of DOJ Order 2880.1A and
OMB Circular A-11 meet the ITIM Framework requirements for a
portfolio selection criteria.

      Criteria Development Responsibility. The ITIM Framework states
that an individual or working group should be assigned the
responsibility of developing IT portfolio selection criteria and for
modifying the criteria as necessary. Individuals who are assigned the
task of developing and modifying the criteria should have a working
knowledge of investment management. Developing the right criteria
with which to analyze a portfolio of projects is a critical component of
making sound investment decisions.

       The DEA ITIM Management Group is responsible for interpreting
the above-mentioned criteria and facilitating the application of it. The
criteria are documented in the DEA Investment Guide and incorporated
in the scoring sheets used by the Business Council to rank the
proposed investments. The DEA is ensuring that the Business Council
uses the correct criteria for selecting portfolio investments by
incorporating the criteria into the scoring sheets.

      Portfolio Selection Criteria. According to the ITIM Framework,
the criteria for selecting portfolio investments should be linked directly
to the organization’s broader mission, goals, strategies, and priorities.
This ensures that the selected IT investments will support the larger
organizational purposes. The Framework points out that the criteria
should also take into account the organization’s EA to: 1) avoid
unwarranted overlap across investments, 2) ensure maximum system
interoperability, and 3) increase the assurance that investments are
consistent with the IT strategy as captured in the EA.

       The selection criteria used for assessing and ranking individual
investments and proposals should generally include four essential
investment elements: cost, benefit, schedule, and risk. The
assessment may also include other criteria to aid in evaluating
relationships among investments. Organizations typically focus on
these four elements and develop multiple measures under each broad
element.


                                  - 65 -
      As stated earlier, the DEA uses DOJ Order 2880.1A and
OMB Circular A-11, Section 300, as criteria for selecting portfolio
investments. In addition, the DEA has established investment
selection criteria within the DEA Investment Guide, which defines the
core selection criteria that are based on DEA missions, goals,
strategies, and priorities. The charters of the Executive Review Board
and the Business Council reiterate these core criteria. The Executive
Review Board’s charter also grants authority to the Executive Review
Board to approve changes to the DEA’s ITIM process.

       The Executive Review Board evaluates funding proposals based
on uniform criteria to ensure that all investments meet at least
minimum requirements. These criteria include evaluating risk, cost,
and mission benefits. As stated previously in the Stage 2 section of
this finding, the projects are compared against each other in a
portfolio setting and rated on a color scale.

       The Business Council’s scoring sheet includes the following
criteria for evaluating projects: performance goals, risk management,
security, project planning and spending, mission support and impact,
and cost. The scoring sheet covers the selection criteria elements as
outlined in the ITIM Framework and the DEA Investment Guide. The
DEA first used this scoring sheet to rank proposed IT investments in
2003 as part of the FY 2005 budget formulation process.

      Selection Criteria Awareness. The ITIM Framework states that
the criteria for selecting portfolio investments should be disseminated
to each IT investment board and IT project managers, organizational
planners, and any other interested parties. The selection criteria
should be clearly addressed in funding submissions for IT projects.

      The DEA program managers use a standardized template to
complete the investment proposals. The selection criteria are
embedded within the template to ensure that the program managers
are not only aware of the criteria but also address them. Again, the
Business Council’s scoring worksheet used to rank all investments also
contains the selection criteria. The Exhibit 300 prepared by the
program managers also includes financial data, security, agency
mission and strategic goals, and risk assessments.

      Our review of the minutes of a December 2003 Business Council
meeting showed that all 19 IT investment proposals were presented
using the standardized template. For the FY 2005 budgetary process,
the DEA prepared 15 Exhibits 300 for new and ongoing IT
investments. Because the project managers used the standardized

                                 - 66 -
template to submit project proposals, and the investment boards used
both the Exhibits 300 and the scoring sheet to rank projects, we
conclude that both project management personnel and the investment
boards are aware of the portfolio selection criteria.

       Selection Criteria Review. The criteria for selecting IT
investments may be changed based on: 1) historical experience;
2) changes in the organization’s strategic direction, business goals, or
priorities; or 3) other factors, such as increased IT management
capabilities or technological changes. Ultimately, however, the task of
modifying the criteria will be based on the experience and judgment of
the enterprise-wide investment boards.

       According to the DEA self-assessment, the DEA Business Council
uses its experience to rank investments within the framework of the
portfolio selection criteria summarized in the scoring worksheet. The
Executive Review Board has the authority to recommend and approve
changes to the ITIM process, which includes the portfolio selection
criteria. The Business Council has been in operation for only one
budget cycle, and there have been no modifications to the criteria.
The Chief of the ITIM Management Group told us that the DEA would
begin implementing the control phase of the ITIM process in 2004.

Critical Process #2: Creating the Portfolio

      The development of the IT investment portfolio is an ongoing
process that includes decision-making, prioritization, review,
realignment, and reprioritization of projects that are competing for
resources and funding. The process for creating the portfolios should
ensure that each IT investment board manages investments according
to an organizational, strategic-planning perspective. The boards
should collectively analyze and compare all investments and proposals
to select those that best fit with the strategic business direction,
needs, and priorities of the entire organization.

      To implement the critical process of creating an IT investment
portfolio, the DEA must establish six key practices. The DEA has
completed two of the six key practices:

      •   established policies and procedures for analyzing, selecting,
          and maintaining the investment portfolio; and

      •   ensured that boards’ members are knowledgeable about the
          process of creating a portfolio.


                                  - 67 -
       Policies, Procedures, and Processes. According to the ITIM
Framework, each IT investment board should have policies and
procedures in place to help it select the most promising proposals and
to ensure that the most feasible investments are considered. These
policies should include specific screening criteria to help identify and
expedite the selections.

       The DEA has documented the processes for selecting an
investment portfolio in its DEA Investment Guide, which provides
policies and procedures that supplement and support guidance from
DOJ Order 2880.1A and OMB Circular A-11 regarding investment
analysis. The Investment Guide contains detailed processes for
analyzing, selecting and maintaining the investment portfolio. In
addition, the DEA requires program managers to develop an Exhibit
300, as explained in OMB Circular A-11, for all projects to be
submitted for final funding approval. The Exhibit 300 includes a
description of the project and a justification describing the costs,
project management, schedule, and risks.

      Board Members’ Knowledge. As stated previously, the DEA
included the criteria within a scoring sheet format to be used by the
Business Council in reviewing and selecting portfolio investments. In
doing this, the DEA has ensured that the investment board is
knowledgeable of the criteria to be used in selecting portfolio
investments.

      Uncompleted Key Practices. The DEA is working on, but has not
yet implemented, the following four key practices:

      •   ensures that the investment boards are provided with
          information comparing actual project and system
          performance to expected performance;

      •   ensures that the IT investment boards examine the mix of
          new and ongoing investments and selects investments for
          funding;

      •   ensures that each investment board approves or modifies
          performance expectations for its selected IT investments; and

      •   ensures that information used to select, control, and evaluate
          the portfolio is captured and maintained for future reference.

      As stated before, the DEA has detailed procedures for selecting,
controlling, and evaluating portfolio investments. Through our review

                                  - 68 -
of the supporting documentation given to us by the DEA and minutes
of the Business Council’s meetings, we conclude that the DEA is
operating according to the procedures outlined for the selection of
investments. However, because the Business Council has only been in
operation for one budgetary cycle, we were unable to determine if the
“control” and “evaluate” procedures have been implemented. The
Chief of the Strategic Business and Analysis Management Group told
us that the DEA would implement the control phase of the ITIM
process during 2004.

      We also found that the DEA has taken steps to ensure that
information used to select, control, and evaluate the portfolio is
captured and maintained for future reference. The DEA maintains the
minutes and action items from investment board meetings
electronically for retrieval at a later date. The DEA also uses an
Information Technology Investment Portfolio System (ITIPS), which
tracks the planning, acquisition, and operations of Automated
Information Systems and IT investments. The ITIPS also complies
with federal requirements such as the Government Performance and
Results Act, the Paperwork Reduction Act, and the Clinger-Cohen Act.
According to the DEA self-assessment, the DEA is assessing other tools
to better capture the required information about IT investments.

       The DEA’s ability to effectively capture investment information
on past and present IT decisions can translate into better decisions on
IT investments during control phase activities, as well as during the
evaluation and selection processes. As stated previously, without an
effective system to capture IT investment information, the DEA may
base IT decisions more on judgment, intuition, and partial data than
on objective, systematic, IT-related information that is routinely
collected and analyzed. The ITIM Framework states that IT
information systems that deliver information that is up-to-date,
encompassing, and presented in a useful format will enhance the
decision process.

Critical Processes #3 and #4: Evaluating the Portfolio and
       Conducting Post Implementation Reviews

      The two remaining critical processes within Stage 3 of the ITIM
Framework involve evaluating the investment portfolio and performing
post-implementation reviews on it. The DEA had not yet completed
those critical processes as of February 2004.

      As stated previously, the DEA has procedures in place for
evaluating investments within the portfolio. However, no work has
                                 - 69 -
been done to evaluate those investments. Although the DEA’s ITIM
process has been in operation for two fiscal years and one budgetary
cycle, the agency has not yet advanced into the evaluation phase of
the ITIM Framework. The DEA self-assessment stated that the DEA is
beginning to implement a 10-percent threshold for cost and schedule
variance to guide in evaluating IT portfolio performance.

      To streamline the Business Council and the Executive Review
Board’s access to current information on the status of DEA IT
investments, the DEA is working to implement the DOJ/CIO Dashboard
to provide information on the status of IT projects.32 Once
implemented, the Business Council, the Executive Review Board, and
project managers may use the Dashboard to gain a quick reference to
determine the cost, schedule, and risks for investments contained in
the DEA IT portfolio.

      In addition, the DEA has not provided formal training for
investment boards members to ensure that boards’ members are
familiar with portfolio evaluation and improvement procedures. As
stated previously, at the beginning of the meeting the DEA ITIM
Management Group outlines for the Business Council the process to be
used for IT investment review. In our judgment, a formal training
session would enable the investment boards to become more familiar
with the ranking categories and to understand what each category
entails and how each category is important to the evaluation of each
IT investment.

      ITIM Stage 3 Summary

       The DEA has completed 9 of 27 key practices necessary to attain
Stage 3 maturity of the ITIM Framework. The agency has defined the
policies and procedures to be used in the portfolio selection process,
established responsibility for criteria development, and has made the
investment boards aware of the established criteria. However, the
DEA has not yet: 1) obtained and utilized a system to effectively
capture investment information for projects, or 2) provided training to
investment boards members on the evaluation criteria for IT
investments.




      32
           The DOJ/CIO Dashboard is a Department database that provides the
Department’s CIO, component CIOs, and project managers with current status
information on major and other highly visible IT systems in the Department’s
portfolio.
                                     - 70 -
Attaining Stage 4 Maturity

       According to the ITIM Framework, the primary focus of Stage 4
is to improve the overall performance of an agency’s IT portfolio. To
attain the Stage 4 level of maturity, an agency must implement two
critical processes: 1) evaluate the performance of the portfolio and use
the information gained from the evaluation to improve both current IT
investment processes and the future performance of the investment
portfolio, and 2) manage the succession of information systems by
replacing low-value systems with higher-value systems.

       The ITIM Framework states that an agency should know how
well investments in information management and technology are
contributing to improvements in mission performance. Improving the
portfolio’s performance is, at the level of the investment portfolio, the
equivalent of Stage 3’s post-implementation reviews for an
investment. At Stage 4, an agency determines how well a portfolio of
IT investments is: 1) helping to achieve the strategic needs of the
enterprise, 2) satisfying the needs of business units and users with IT
products and services, and 3) improving IT business performance for
users and for the enterprise as a whole. To make these
determinations, an agency’s entire portfolio of investments should be
compiled and analyzed, and investment trends examined. To perform
the analysis of the entire portfolio, an agency may use the information
compiled from the post-implementation reviews, the IT investment
boards’ experiences, and the results to date for major investments.

       Also at Stage 4, the agency enhances its ability to forecast, plan,
and manage the migration to new system investments. At this stage,
the target EA and transition plan can be useful guides in evaluating
which investments should be phased out and which ones the agency
should retain. According to the ITIM Framework, Stage 4 maturity is
significant because some IT investments can outlive their usefulness
and yet consume resources that outweigh the IT investments’ benefits
to the agency.

      The DEA stated in its self-assessment that it has not yet
implemented any of the key practices for Stage 4 maturity. In
addition, in order for the DEA to consider Stage 4 maturity it must
implement all key practices in Stage 3.

Attaining Stage 5 Maturity

       According to the ITIM Framework, at Stage 5 an agency is using
its IT investment capabilities both to anticipate the effects of

                                  - 71 -
next-generation information technologies and to significantly drive
strategic business transformation. As an agency’s capability to run
effective management processes to constantly select, control, and
evaluate IT investments matures, the agency can more effectively
examine how best to institute major business transformations to better
achieve its missions. These major business transformations will
include fundamental changes to how the agency applies new
information technologies to support changes in customer interaction
and service delivery processes.

      For the DEA to attain Stage 5 maturity it must: 1) attain
Stage 4 maturity by implementing all key practices within Stages 3
and 4, 2) optimize the investment process by ensuring that best
practices of other organizations are captured and incorporated into the
DEA’s IT investment process, and 3) use IT to strategically transform
work processes and explore new and more effective ways of executing
the DEA’s mission.

Conclusion

       The DEA is making progress toward implementing a process to
effectively manage its IT investments. The DEA has attained Stage 2
of the five maturity stages outlined in the ITIM Framework by: 1)
establishing IT investment boards and defining the membership,
guiding policies, operations, roles responsibilities, and authorities for
each board; 2) developing business cases that identify key executive
sponsors and business customers or end-users and the business needs
that the IT project will support; 3) defining a process that is used to
select new IT project proposals and reselect ongoing projects; 4)
providing investment oversight by monitoring projects regarding cost
and schedule expectations as well as anticipated benefits and risk; and
5) capturing the investment information necessary for executive
decision-makers to make informed decisions about the DEA’s IT
investments.

      The DEA has made progress toward attaining Stage 3 maturity
of the ITIM Framework, by completing 9 of the 27 necessary key
practices. Specifically, the DEA has defined the policies and
procedures to be used in the portfolio selection process, established
responsibility for criteria development, and has made the investment
boards aware of the established criteria. To attain Stage 3 maturity,
the DEA must: 1) obtain and utilize a system to effectively capture
investment information for projects, and 2) provide training to
investment boards’ members on the evaluation criteria for IT
investments.

                                 - 72 -
      To attain Stage 4 and 5 maturity as described by the ITIM
Framework, the DEA must: 1) evaluate the performance of the
portfolio and use the information gained from the evaluation to
improve both current IT investment processes and the future
performance of the investment portfolio, 2) manage the succession of
information systems by replacing low-value systems with higher-value
systems, 3) optimize the investment process by ensuring that best
practices of other organizations are captured and incorporated within
the DEA’s IT investment process, and 4) use IT to strategically
transform work processes and explore new and more effective ways of
executing the DEA’s mission.

Recommendations
     We recommend that the DEA:

6.   train members of the investment boards on the criteria for
     evaluating IT investments; and

7.   establish a schedule for completing Stages 3 through 5 of the
     ITIM process to control and evaluate the DEA’s IT investments.




                                - 73 -
            STATEMENT ON COMPLIANCE WITH
                LAWS AND REGULATIONS

      We have audited the DEA’s management of Enterprise
Architecture and IT investments. The audit was conducted in
accordance with Government Auditing Standards. As required by the
standards, we reviewed management processes and records to obtain
reasonable assurance about the DEA’s compliance with laws and
regulations that, if not complied with, in our judgment, could have a
material effect on DEA operations. Compliance with laws and
regulations applicable to the DEA’s handling of Enterprise Architecture
and IT investments is the responsibility of the DEA’s management.

      Our audit included examining, on a test basis, evidence about
laws and regulations. The specific laws and regulations against which
we conducted our tests are contained in the relevant portions of the
Clinger-Cohen Act of 1996 and OMB Circular A-11, Section 300.

      The Clinger-Cohen Act of 1996:

      •     as applied to the Enterprise Architecture, requires the CIOs
            for major departments and agencies to develop, maintain,
            and facilitate the implementation of architectures as a
            means of integrating business processes and agency goals
            with IT; and

      •     as applied to the management of IT investments, defines
            requirements for capital planning and control of IT
            investments and mandates a select/control/evaluate
            approach that federal agencies must follow.

      OMB Circular A-11, Section 300:

      •     as applied to IT investment management, establishes the
            criteria for completing Exhibits 300, which is the format
            used to represent the purpose for the proposed investment
            to agency management and the OMB.

      Except for those issues cited in the Finding and
Recommendations section of our report, our tests indicated that for
those items reviewed, the DEA’s management complied with the laws
and regulations referred to above. With respect to those items not
tested, nothing came to our attention that caused us to believe that
the DEA’s management did not comply with the laws and regulations
cited above.

                                 - 74 -
         STATEMENT ON MANAGEMENT CONTROLS


       In planning and performing our audit of the DEA’s management
of its EA and IT investments, we considered the DEA’s management
controls for the purpose of determining our audit procedures. This
evaluation was not made for the purpose of providing assurance on
the management control structure as a whole; however, we noted
certain matters that we consider to be reportable conditions under
Government Auditing Standards.

       Reportable conditions involve matters coming to our attention
relating to significant deficiencies in the design or operation of the
management control structure that, in our judgment, could adversely
affect the DEA’s ability to manage its EA and IT investments. During
our audit, we identified the following management control concerns.

     •   The DEA has not yet completed an EA to drive its IT
         investments.

     •   The DEA has not yet implemented the control and evaluate
         processes necessary to complete its IT investment capability.

      Because we are not expressing an opinion on the DEA’s
management control structure as a whole, this statement is intended
solely for the information and use of the DEA in managing its EA and
IT investments. This restriction is not intended to limit the distribution
of this report, which is a matter of public record.




                                  - 75 -
                                                         APPENDIX 1


        OBJECTIVES, SCOPE, AND METHODOLOGY

Objectives

       The objectives of the audit were to: 1) determine if the DEA was
effectively managing its Enterprise Architecture; and 2) determine if
the DEA was effectively managing its IT investments.

Scope and Methodology

      The audit was performed in accordance with Government
Auditing Standards, and included tests and procedures necessary to
accomplish the audit objectives. We conducted work at the DEA
Headquarters in Arlington, Virginia.

      To perform our audit, we conducted approximately 17 interviews
with 9 officials from the DEA, DOJ, GAO, and Bearing Point – the
contractor being used to complete DEA EA. Additionally, we reviewed
over 90 documents related to EA and IT management policies and
procedures, project management guidance, strategic plans, IT project
proposals, budget documentation, organizational structures,
investment board minutes, and prior GAO reports.

      To determine whether the DEA is effectively managing its EA, we
used the GAO’s EA Management Framework as criteria. As part of our
assessment of the DEA’s EA, the DEA completed a survey developed
by the GAO to identify which of the core elements in the EA
Management Framework were implemented. We reviewed the survey
and obtained supporting documentation for the core elements that the
DEA said were implemented. We did not test or review documentation
for the core elements that the DEA considered not implemented or
partially implemented. We did not perform an independent analysis of
the DEA’s current EA to determine if all business areas and IT systems
were listed. We made an assumption that the DEA’s current
architecture represented the DEA’s existing IT infrastructure.

      To determine whether the DEA is effectively managing its IT
investments, we applied the GAO’s ITIM Framework and the associated
assessment method. As part of the Framework’s assessment method,



                                - 76 -
the DEA completed a self-assessment of its IT investment
management activities. In addition to the self-assessment, the DEA
provided documentation; for example, polices and procedures,
templates, program managers’ presentations, meeting minutes, and
training agenda and information, to support its claims within the
self-assessment. We examined the documentation provided to
determine if the DEA implemented the key practices within the critical
processes. We did not review documentation for the key practices in
the self-assessment that the DEA considered not implemented or
partially implemented.




                                - 77 -
                                                  APPENDIX 2


                   ACRONYMS

CFO     Chief Financial Officer

CIO     Chief Information Officer

CMM     Capability Maturity Model

DEA     Drug Enforcement Administration

DOJ     Department of Justice

EA      Enterprise Architecture

FEAF    Federal Enterprise Architecture Framework

GAO     Government Accountability Office

IT      Information Technology

ITIM    Information Technology Investment Management

ITIPS   Information Technology Investment Portfolio System

JMD     Justice Management Division

OCIO    Office of the Chief Information Officer

OIG     Office of the Inspector General

OMB     Office of Management and Budget

PMP     Project Management Plan




                       - 78 -
                                                          APPENDIX 3


                THE THREE COMPONENTS OF
                    THE ITIM PROCESS



     Select

      Within the “select” component of the capital planning and
investment control process, an agency is to:

     1. evaluate each investment to determine whether the
        investment will support core mission functions,

     2. demonstrate a projected return on the investment that is
        clearly equal to or better than alternative uses of available
        public resources,

     3. prepare and update a benefit-cost analysis for each
        information system throughout its life cycle,

     4. prepare and maintain a portfolio of major information
        systems,

     5. ensure consistency with the agency’s EA,

     6. establish oversight mechanisms to ensure continuing security
        and availability of systems and their data, and

     7. ensure that improvements to existing information systems
        and the development of planned information systems do not
        necessarily duplicate IT capabilities within the same agency.

     Control

      Within the “control” component of the capital planning and
investment control process, an agency is to:

     1. institute performance measures and management processes
        that monitor actual performance compared to expected
        results,



                                - 79 -
      2. establish oversight mechanisms that require periodic review
         of information systems to determine whether the information
         systems continue to fulfill ongoing and anticipated mission
         requirements,

      3. ensure that major information systems proceed in a timely
         fashion toward agreed-upon milestones,

      4. prepare and update a strategy that identifies and mitigates
         risks associated with each information system, and

      5. ensure that agency EA procedures are being followed.

     Evaluate

      Within the “evaluate” component of the capital planning and
investment control process, an agency is to:

      1. conduct post-implementation reviews of information systems
         and information resource management processes to validate
         estimated benefits and costs and to document effective
         management practices for broader use;

      2. evaluate systems to ensure positive return on investment and
         to decide whether continuation, modification, or termination
         of the systems is necessary to meet agency mission
         requirements;

      3. document lessons learned from the post-implementation
         reviews;

      4. reassess an investment’s technical compliance and
         compliance with EA; and

      5. update the EA and IT capital planning processes as needed.




Source: The Office of Management and Budget.




                                    - 80 -
                                                                                                                     APPENDIX 4


            Summary of the EA Management Framework’s Maturity Stages,
                  Critical Success Attributes, and Core Elements

                                                                                                                     Stage 5:

                                                                                      Stage 4:                       Leveraging
                                                            Stage 3:                  Completing EA products         the EA to manage
                                                            Developing EA
                                Stage 2:                    products                                                 change
                  Stage 1:      Building the EA
                  Creating EA   management
                  awareness     foundation
Attribute 1:                    Adequate resources          Written and approved      Written and approved           Written and approved
Demonstrates                    exist.                      organization policy       organization policy exists     organization policy
commitment                      Committee or group          exists for EA             for EA maintenance.            exists for IT
                                representing the            development.                                             investment
                                enterprise is responsible                                                            compliance with EA.
                                for directing,
                                overseeing, or approving
                                EA.
Attribute 2:                    Program office              EA products are under     EA products and                Process exists to
Provides                        responsible for EA          configuration             management processes           formally manage EA
                                development and             management.               undergo independent            change.
capability to
                                maintenance exists.                                   verification and validation.   EA is integral
meet                            EA is being developed                                                                component of IT
commitment                      using a framework,                                                                   investment
                                methodology, and                                                                     management process.
                                automated tool.
Attribute 3:                    EA plans call for           EA products describe      EA products describe both      EA products are
Demonstrates                    describing both the “as     or will describe both     the “as is” and the “to-be”    periodically updated.
                                is” and the “to-be”         the “as is” and the       environments of                IT investments
satisfaction of
                                environments of the         “to-be” environments      enterprise, as well as a       comply with EA.
commitment                      enterprise, as well as a    of enterprise, as well    sequencing plan for            Organization head has
                                sequencing plan for         as a sequencing plan      transitioning from the “as     approved current
                                transitioning from the      for transitioning from    is” to the “to-be”.            version of EA.
                                “as is” to the “to-be”.     the “as is” to the “to-   Both the “as is” and the
                                EA plans call for           be”.                      “to-be” environments are
                                describing both the “as     Both the “as is” and      described in terms of
                                is” and the “to-be”         the “to-be”               business, performance,
                                environments in terms       environments are          information/data,
                                of business,                described or will be      application/service, and
                                performance,                described in terms of     technology.
                                information/data,           business,                 Business, performance,
                                application/service, and    performance,              information/data,
                                technology descriptions     information/data,         application/service, and
                                to address security.        application/service,      technology descriptions
                                                            and technology.           address security.
                                                            Business,                 Organization CIO has
                                                            performance,              approved current version
                                                            information/data,         of EA.
                                                            application/service,      Committee or group
                                                            and technology            representing the enterprise
                                                            descriptions address      or the investment review
                                                            or will address           board has approved
                                                            security.                 current version of EA.
Attribute 4:                    Ea plans call for           Progress against EA       Quality of EA products is      Return on EA
Verifies                        developing metrics for      plans is measured         measured and reported.         investment is
satisfaction of                 measuring EA progress,      and reported.                                            measured and
                                quality, compliance, and                                                             reported.
commitment                      return on investment.                                                                Compliance with EA is
                                                                                                                     measured and
                                                                                                                     reported.


                                                       Maturation


           Source: The U.S. Government Accountability Office.




                                                                  - 81 -
                                                                   DEA’S IT MANAGEMENT PROGRAM


                                                                                                          DEA IT
                                                                                                       MANAGEMENT
                                                                                                        PROGRAM

        STRATEGIC                                                                                                                                                           Report
                                                                                                                                                           Performance Plan Report
        PLANNING                             Strategic Plan/Goals
                                         Strategic Plan/Goals                                 Performance Plan / Measures (Capital Plan)
                                                                                                                                                              (EVMS Summary)
        BUDGET                                     Base/Prelim.
                                                   Base/Prelim.Funding                               Development/CapitalFunding
                                                                                                     Development/Capital                                         O&MFunding
                                                                                                                                                                 O&M

       PROCUREMENT                            Studies/Analyses
                                              Studies/AnalysesContracts                      Integration/Development Contracts
                                                                                             Integration/Development Contracts                              Support/Maintenance
                                                                                                                                                            Support/Maintenance
                                                                                                                                                                   Contracts
                                                                                                                                                                   Contracts
       IT                                          Select                                                                                                            Evaluate
                                                                                                                                                                     Evaluat
       INVESTMENT                                                                                             Control
                                                 - Plan
                                                   Pla                                           - Operate - Acquire - Monitor     - Deploy
                                                                                                                                     Deploy                  - Review     - Modify
       MGMT (ITIM)                      C                                                                                                                      Assess
                                                                                                                                                             - Asses      - Phase -out
                                                                                                                                                                            Phase-ou
                                                 - Justify
                                                   Justif
                                        TI
                                        V                                                         Quality Management Program
       QUALITY




                                                                                                                                                                                         DATA COLLECTION AND METRICS
                                                                                                                                                  Customer Satisfaction
-82-




       MANAGEMENT                             Standards Compliance             Product Quality        Process Quality CMM                          System Performance
                       BUSINESS GOALS




                                                                                   Metrics Management(Cost, Schedule, Quality, Performance)
        IT SECURITY                          Facilitated Risk Assessment              Security Test and Evaluation (ST&E)
                                                                                      S                                                       Certification & Accreditation
                                                  Process (FRAP)
       SYSTEM                                                                               RATIONAL UNIFIED PROCESS
       DEVELOPMENT                           Inception
                                             Inceptio              Elaboration
                                                                   Elaboratio                    Construction
                                                                                                 Constructio                                         Transition
                                                                                                                                                     Transitio
       LIFE CYCLE                              - Concept            - Project Planning            - Software Requirements           - Independent               - Operations
       (SDLC)                                    Alternatives       - Budget Development            System
                                                                                                  - SystemDesign                      Testing                   - Maintenance
                                               - Cost Benefit       - Performance Measures          Coding
                                                                                                  - Codin                             (IV&V, I&P,
       [PROGRAM                                - ROI                - Functional Requirements     - System Testing                    Acceptance)               - Retire/Dispose/
       MANAGEMENT]                             - Risk
                                                 Ris                                                                                - Deploy                      Replace

       ENTERPRISE                                Business            Component Data                    Component Applications     Component Technology Component Architecture
       ARCHITECTURE                            Architecture           Architecture                         Architecture                 Architecture            Assessment
                                             Develop/Update Training Materials                   Present Training                              Evaluate Training Effectiveness
       PROCESS TOOLS                                         Intranet, Webster, MicroSoft Office suite, MicroSoft Project, processMax, CostXpert , RITS, SIMS, Rational




                                                                                                                                                                                                                       APPENDIX 5
                                        Source: The Drug Enforcement Administration.
                                                        The Drug Enforcement Administration
                                                               ORGANIZATION CHART


                                                                           ADMINISTRATOR


                                                       Office of Chief Counsel       Office of Congressional
                                                                                        and Public Affairs



                                                           Exec. Policy &             Administrative Law
                                                         Stragegic Planning                Judges
                                                               Staff



         Human Resources         Operations Division    Intelligence Division       Financial Management          Operational Support       Inspection Division
               Division          Chief of Operations    Assistant Administror              Division                     Division              Chief Inspector
       Assistant Administrator                                                      Chief Financial Officer    Assistant Administor (CIO)



            Career Board         Office of Domestic       Office of Strategic                Office of                Office of                  Office of
-83-




                                     Operations              Intelligence                   Acquisition             Administration             Inspections
                                                                                           Management



        Board of Professional    Office of Diversion    Office of International        Office of Finance               Office of                 Office of
              Conduct                  Control               Intelligence                                        Information Systems           Professional
                                                                                                                                              Responsibility



         Equal Employment             Office of            Office of Special          Office of Resource           Office of Forensic       Office of Security
          Opportunity Staff         International            Intelligence               Management                      Sciences                Programs
                                     Operations



        Offfice of Personnel          Office of                 Office of                                              Office of
                                     Operations          Intelligence Policy &                                       Investigative
                                    Management               Management                                               Technology



          Office of Training     Special Operations             El Paso
                                      Division           Intelligence Center



                                  Aviation Division




                                                                                                                                                                  APPENDIX 6
                Source: The Drug Enforcement Administration.
                                                                        APPENDIX 7


                                DEA PROGRESS THROUGH STAGE 3
                               OF THE EA MANAGEMENT FRAMEWORK

                         Core Elements                               Status
                                                                             Not
                                                             Implemented Implemented
STAGE 2
Critical Attribute #1: Demonstrates Commitment
Core Elements
Adequate Resources
EA Governing Committees

Critical Attribute #2: Capability to Meet Commitment

         Core Elements
EA Program Office
Appointment of Chief Architect
EA Development
Critical Attribute #3: Demonstrates Satisfaction of
Commitment

         Core Elements
EA Program Plan Development
Security

Critical Attribute #4: Verifies Satisfaction of Commitment

         Core Elements
EA Progress Measurement

STAGE 3
Critical Process #1: Defining the Portfolio Criteria
         Key Practices
Documented Policies and Procedures
Criteria Development Responsibility
Adequate Resources
Working Group Responsibility
Portfolio Selection Criteria
Selection Criteria Awareness
Selection Criteria Review


                                               - 84 -

     -
                          Core Elements                               Status
                                                                              Not
                                                              Implemented Implemented

        Critical Process #2: Creating the Portfolio
        Key Practices
Policies, Procedures, and Processes
Adequate Resources
Board Members’ Knowledge
Expectation and Performance comparison
New and Ongoing Investment Examination
Performance Expectation Modification
Archiving Used Information

Critical Process #3: Evaluating the Portfolio
        Key Practices
Policies and Procedures
Adequate Resources
Board’s Knowledge of Evaluation Criteria
Board Review Provision
Assessment Criteria Development
Performance Measurement Data and Criteria
Investment Adjustments
Critical Process #4: Conducting Post-Implementation Reviews
        Key Practices
Documented policies and procedures
Resource adequacy
Investment board knowledge
Investment board identification
Data use and collection
Investment board assessment


    Source: Office of the Inspector General.




                                                 - 85 -

    -
                             FEDERAL ENTERPRISE ARCHITECTURE FRAMEWORK
    - 86 –




                                                                         APPENDIX 8
             Source: The Drug Enforcement Administration.




-
                                                                                APPENDIX 9


                                  DEA PROGRESS THROUGH STAGE 3
                                      OF THE ITIM FRAMEWORK

Key Practices                                                          Status
                                                                                  Not
                                                                  Implemented Implemented
STAGE 2
Critical Process #1: Instituting the Investment Board
Key practices
Investment Boards
IT Investment Process
Adequate Resources
Competence
Avoiding Duplication of Gaps

Oversight Responsibilities

Controls

Critical Process #2: Identifying Business Needs for IT Projects

       Key Practices
Policies and Procedures
Business Mission
Identifying Business Needs
Specific User Identification
End-Users Participation
Investment Board Evaluation

Critical Process #3: Selecting An Investment

       Key Practices
Policies and Procedures
Adequate Resources
Criteria
Organizational Objectives
Selection Process
Reselection Process
Funding vs. Selection Decisions




                                                - 87 -
Key Practices                                                    Status
                                                                            Not
                                                            Implemented Implemented

      Critical Process #4: Providing Investment Oversight

      Key Practices
Policies and Procedures
Adequate Resources
Project Management Plans
Actual Performance Data
Performance Reviews
Critical Process #5: Capturing Investment Information
      Key Practices
Information Collection

Information Accessibility

Maintaining the Information Repository


STAGE 3
Critical Process #1: Defining the Portfolio Criteria
      Key Practices
Documented Policies and Procedures
Criteria Development Responsibility
Adequate Resources
Working Group Responsibility
Portfolio Selection Criteria
Selection Criteria Awareness
Selection Criteria Review

Critical Process #2: Creating the Portfolio
      Key Practices
Policies, Procedures, and Processes
Adequate Resources
Board Members’ Knowledge
Expectation and Performance comparison
New and Ongoing Investment Examination
Performance Expectation Modification
Archiving Used Information




                                                  - 88 -
Key Practices                                                      Status
                                                                              Not
                                                              Implemented Implemented

Critical Process #3: Evaluating the Portfolio
      Key Practices
Policies and Procedures
Adequate Resources
Board’s Knowledge of Evaluation Criteria
Board Review Provision
Assessment Criteria Development
Performance Measurement Data and Criteria
Investment Adjustments
Critical Process #4: Conducting Post-Implementation Reviews
      Key Practices
Documented policies and procedures
Resource adequacy
Investment board knowledge
Investment board identification
Data use and collection
Investment board assessment


        Source: Office of the Inspector General.




                                                   - 89 -
         APPENDIX 10




- 90 -
- 91 -
- 92 -
- 93 -
                                                               APPENDIX 11

    OIG, AUDIT DIVISION ANALYSIS AND SUMMARY OF
         ACTIONS NECESSARY TO CLOSE REPORT

      We provided a draft audit report to the DEA for review and comment.
The response from the DEA is incorporated as Appendix 10 of this final
report. The DEA concurred with the recommendations resulting from the
audit. Our analysis of the DEA’s response to specific recommendations is
provided below.

Recommendation Number:

1. Resolved. This recommendation is resolved based on the DEA’s plan to
   determine its current Enterprise Architecture (EA) maturity level and
   establish an EA Review Board that will apply the Government
   Accountability Office’s Maturity Model criteria and the metrics within the
   model. This recommendation can be closed when we receive and review
   documentation that the DEA is applying metrics to measure EA progress,
   quality, compliance, and return on investment.

2. Resolved. This recommendation is resolved based on the DEA’s plan to
   develop a charter, policy, plan, and maintenance process to keep the
   DEA’s EA aligned with the federal and the Department of Justice EA
   framework and guidance. This recommendation can be closed when we
   receive and review a copy of the policy for EA development and
   maintenance that meets the requirements of the EA Management
   Framework.

3. Resolved. This recommendation is resolved based on the DEA’s intent to
   actively ensure that configuration controls are provided and obeyed. This
   recommendation can be closed when we receive and review a copy of the
   maintenance process that will ensure the completed EA undergoes
   configuration management.

4. Resolved. This recommendation is resolved based on the DEA’s plan to
   integrate security with EA so that all of the artifacts of the DEA’s EA will
   be aligned with security attributes and comply with the Federal
   Information Security Management Act. This recommendation can be
   closed when we receive and review documentation that the target
   architecture addresses security as outlined in the EA Program Plan.

5. Resolved. This recommendation is resolved based on the DEA’s plan to
   integrate the target EA with the Information Technology Investment
   Management (ITIM) process to ensure that the DEA’s information


                                     - 94 -
  technology investments are not duplicative, are well integrated, are cost
  effective, and support the DEA mission. This recommendation can be
  closed when we receive and review documentation that the remaining EA
  stages are completed and implemented.

6. Resolved. This recommendation is resolved based on the DEA’s plan to
   schedule an ITIM investment board meeting to focus on investment
   management training, including process, evaluating, scoring, and EA.
   This recommendation can be closed when we receive and review
   documentation that the board members have received the planned
   training.

7. Resolved. This recommendation is resolved based on the DEA’s
   intention to review and update the ITIM transition plan based on current
   activities, strategies, and plans. This recommendation can be closed
   when we receive and review the DEA’s schedule from completing Stages
   3 through 5 of the ITIM process to control and evaluate the DEA’s
   information technology investments.




                                   - 95 -

				
DOCUMENT INFO